State-sponsored hackers hijacked the software update mechanism of the popular code editor Notepad++ for six months, redirecting users to malicious servers to install spyware. The project’s maintainer, Don Ho, confirmed the incident on February 2, attributing the attack to a Chinese cyber-espionage group known as Lotus Blossom (also tracked as APT31 or Violet Typhoon).
Scope and Impact
The compromise lasted from June 2025 through December 2025. Unlike mass-distribution malware events, this campaign was highly targeted. Security researchers indicate the attackers selectively redirected traffic to infect specific organizations in the telecommunications and financial sectors, primarily within East Asia.
While the exact number of victims remains unclear, the attackers utilized the compromised infrastructure to distribute a custom backdoor dubbed “Chrysalis.” This malware allowed threat actors to maintain persistent access to victim networks, execute commands, and exfiltrate sensitive data.
How the Attack Happened
The hackers did not find a vulnerability in the Notepad++ application code itself. Instead, they compromised the project’s third-party hosting provider. By gaining access to the underlying infrastructure, the attackers intercepted traffic destined for the getDownloadUrl.php script—the component responsible for telling the Notepad++ updater where to find the latest software version.
Attackers modified the server responses to point specific users toward attacker-controlled servers. These servers delivered a malicious version of the software installer.
The attack succeeded because older versions of the Notepad++ updater, WinGUp, failed to strictly enforce digital signature validation and certificate matching. This oversight allowed the trojanized installers to execute without triggering warnings on the victim’s machine.
Technical Breakdown
Duration: June 2025 – December 2, 2025.
Vector: Infrastructure-level compromise at the hosting provider.
Malware: “Chrysalis” backdoor injected via DLL sideloading in a legitimate-looking process.
Targeting: Selective redirection based on IP address and organization.
Mitigation and Immediate Action
The Notepad++ team has migrated the website to a new hosting provider with stricter security controls. Additionally, the update mechanism has been hardened in the latest releases to prevent similar redirection attacks.
Information security professionals should take the following steps immediately:
Update Immediately: Ensure all deployments of Notepad++ are updated to version 8.9.1 or later.
Verify Signatures: The latest versions now enforce strict validation of the digital certificate and XML signature (XMLDSig) of update packets.
Hunt for IOCs: Scan endpoints for the “Chrysalis” backdoor or unexpected connections to unknown IP addresses initiated by update.exe or notepad++.exe between June and December 2025.
Audit Logs: Review network logs for traffic redirected from notepad-plus-plus.org to unrecognized domains during the exposure window.
Attribution and Response
Multiple cybersecurity firms, including Rapid7 and Kaspersky, linked the tactics, techniques, and procedures (TTPs) used in this breach to Chinese state-sponsored actors. The specific targeting of East Asian infrastructure aligns with the known geopolitical objectives of the Lotus Blossom group.
“The compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself,” Don Ho stated in the disclosure. He noted that while the attackers lost server access in September, they retained credentials for internal services that allowed them to continue the redirection until December.
