Unit 42 revealed that Lotus Blossom, a state-sponsored group, compromised Notepad++’s shared hosting to hijack update traffic and deliver targeted malicious updates between June and December 2025. The attackers used an Adversary-in-the-Middle capability to selectively serve payloads—deploying the Chrysalis backdoor via DLL side-loading or a Cobalt Strike Beacon via injected Lua scripts—to high-value targets in Southeast Asia and beyond. #LotusBlossom #Chrysalis
Keypoints
- Lotus Blossom hijacked Notepad++ update traffic by compromising its hosting provider rather than tampering with the build pipeline.
- The adversaries dynamically fingerprinted requests to selectively deliver malicious updates only to priority targets (Adversary-in-the-Middle).
- Infection chains included DLL side-loading to run the Chrysalis backdoor and Lua script injection to deploy a Cobalt Strike Beacon.
- Primary victims were in Southeast Asia across government, telecommunications, and critical infrastructure, with additional targets in the Americas and Europe.
- Notepad++ migrated hosting and tightened updater signature checks; users are urged to update to version 8.9.1 or later immediately.
Read More: https://securityonline.info/trusted-tool-weaponized-lotus-blossom-hijacks-notepad-updates/