Overview
- Notepad++ said attackers intercepted update requests between June and December 2, 2025, losing direct server access on September 2 but continuing redirections using stolen credentials.
- Rapid7 attributed the campaign to the China-linked Lotus Blossom group and detailed a custom backdoor dubbed Chrysalis delivered via NSIS installers and DLL sideloading of a renamed Bitdefender tool.
- The activity was highly selective, with only certain users receiving malicious manifests; early reports cited telecom and financial organizations with interests in East Asia.
- The project migrated to a new hosting provider and hardened WinGUp to verify installer certificates and signatures, with signed update metadata and enforcement planned for version 8.9.2.
- The former host reported no evidence of other customers being targeted, said credentials were rotated and vulnerabilities patched, and investigators have published indicators and detection guidance.