Lotus Blossom Hacking Group Exploits Notepad++ Hosting Breach to Deploy Chrysalis Backdoor

Timeline

1. 03.02.2026 06:55 1 articles · 20h ago

   Lotus Blossom Hacking Group Exploits Notepad++ Hosting Breach to Deploy Chrysalis Backdoor

   The China-linked Lotus Blossom hacking group exploited a hosting provider breach to deliver a previously undocumented backdoor, Chrysalis, to Notepad++ users. The attack, which occurred between June and December 2025, involved hijacking update traffic and exploiting insufficient update verification controls in older versions of the software. The group used a multi-layered shellcode loader and integrated undocumented system calls to enhance stealth and resilience. The breach was discovered and mitigated in December 2025, with Notepad++ migrating to a new hosting provider and rotating all credentials. The Chrysalis backdoor is a feature-rich implant capable of gathering system information, executing commands, and maintaining persistence. It communicates with a command-and-control (C2) server to receive additional instructions. The C2 server is currently offline, but the malware's capabilities suggest ongoing development and adaptation by the threat actor.

   Show sources

   • Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group — thehackernews.com — 03.02.2026 06:55

   Open in new tab

Information Snippets

• The Lotus Blossom hacking group exploited a hosting provider breach to deliver the Chrysalis backdoor to Notepad++ users.

  First reported: 03.02.2026 06:55
  1 source, 1 article
  Show sources

  • Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group — thehackernews.com — 03.02.2026 06:55

• The attack occurred between June and December 2025, exploiting insufficient update verification controls in older versions of Notepad++.

  First reported: 03.02.2026 06:55
  1 source, 1 article
  Show sources

  • Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group — thehackernews.com — 03.02.2026 06:55

• The Chrysalis backdoor is a feature-rich implant capable of gathering system information and executing commands.

  First reported: 03.02.2026 06:55
  1 source, 1 article
  Show sources

  • Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group — thehackernews.com — 03.02.2026 06:55

• The Chrysalis backdoor communicates with a command-and-control (C2) server to receive additional instructions.

  First reported: 03.02.2026 06:55
  1 source, 1 article
  Show sources

  • Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group — thehackernews.com — 03.02.2026 06:55

• The C2 server is currently offline, but the malware's capabilities suggest ongoing development and adaptation by the threat actor.

  First reported: 03.02.2026 06:55
  1 source, 1 article
  Show sources

  • Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group — thehackernews.com — 03.02.2026 06:55

• The breach was discovered and mitigated in December 2025, with Notepad++ migrating to a new hosting provider and rotating all credentials.

  First reported: 03.02.2026 06:55
  1 source, 1 article
  Show sources

  • Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group — thehackernews.com — 03.02.2026 06:55

• The Chrysalis backdoor uses a multi-layered shellcode loader and integrates undocumented system calls to enhance stealth and resilience.

  First reported: 03.02.2026 06:55
  1 source, 1 article
  Show sources

  • Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group — thehackernews.com — 03.02.2026 06:55

• The threat actor has been found to copy and modify an existing proof-of-concept (PoC) published by German cybersecurity company Cirosec in September 2024.

  First reported: 03.02.2026 06:55
  1 source, 1 article
  Show sources

  • Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group — thehackernews.com — 03.02.2026 06:55