Full Report
The Chinese APT group Lotus Blossom intruded the tool’s internal systems to snoop on a limited set of users’ activities, according to researchers. The post China-based espionage group compromised Notepad++ for six months appeared first on CyberScoop.
Analysis Summary
# Threat Actor: Lotus Blossom
## Attribution & Identity
**Identification:** Chinese APT group.
**Aliases:** Billbug, Thrip, Raspberry Typhoon.
**Known Associations:** State-sponsored group believed to be operating for almost two decades (active since at least 2009).
## Activity Summary
Lotus Blossom compromised the internal systems of the popular open-source code editor, Notepad++, for a six-month period, starting in June 2025. The objective was espionage, specifically to "snoop on a select group of targeted users’ activities." The attackers maintained access until December 2, 2025, using hijacked update credentials to redirect Notepad++ update traffic to malicious servers. Researchers noted no evidence of bulk data exfiltration, suggesting highly selective access. Access was ultimately disrupted, and linked infrastructure is no longer active.
## Tactics, Techniques & Procedures
- **Initial Access/Technique Exploitation:** Exploited "insufficient update verification controls" in older versions of Notepad++ to hijack the updater client and user traffic.
- **Persistence:** Deployed persistence mechanisms.
- **Execution:** Deployed various payloads, including a custom backdoor.
- **Reconnaissance:** Conducted system profiling.
- **Command & Control:** Executed remote command execution.
- **General Tradecraft:** Exhibited resilience and stealth tradecraft consistent with long-term espionage access.
- **MITRE ATT&CK IDs:** Not explicitly mentioned in the text.
## Targeting
- **Sectors:** Developers, IT administrators, engineers, and analysts, including those working in government, telecom, critical infrastructure, and media (inferred from Notepad++ user base).
- **Geography:** China-based actor targeting users accessed via Notepad++ systems.
- **Victims:** A "limited set of users" within the Notepad++ user base; no specific organizations named.
## Tools & Infrastructure
- **Malware Families Used:** Custom backdoor.
- **Infrastructure (C2, domains, IPs):** Redirected Notepad++ update traffic to malicious servers. Known associated infrastructure from the campaign is reported as no longer active. (No specific defanged URLs/IPs provided in the source text).
## Implications
The intrusion demonstrates a sophisticated, state-sponsored actor capable of maintaining long-term, stealthy access to widely used software development infrastructure. The objective was strategic intelligence collection via targeted snooping rather than mass data theft or immediate financial gain. The compromise highlights the supply chain risk associated with widely adopted open-source tools.
## Mitigations
- Update Notepad++ software immediately to address authentication weaknesses and insufficient update verification controls (users running older versions advised to update as a precaution).
- Organizations should review systems for signs of long-term espionage access, system profiling, and remote command execution.
- Strengthen update verification controls for software dependencies and third-party tools.