{"id":23827,"date":"2026-03-10T08:30:46","date_gmt":"2026-03-10T01:30:46","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&p=23827"},"modified":"2026-03-17T11:03:36","modified_gmt":"2026-03-17T04:03:36","slug":"the-notepad-supply-chain-attack-when-a-benign-tool-becomes-a-weapon-for-chinese-state-espionage","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/the-notepad-supply-chain-attack-when-a-benign-tool-becomes-a-weapon-for-chinese-state-espionage\/","title":{"rendered":"The Notepad++ supply chain attack: When a benign tool becomes a weapon for Chinese state espionage"},"content":{"rendered":"

One of the software supply chain attacks discovered at the end of 2025 has further reinforced a troubling reality of modern cybersecurity: even the most benign applications can become entry points for nation-state actors. In December 2025, Rapid7 Labs discovered and publicly disclosed an attack campaign believed to be carried out by the APT group Lotus Blossom (Billbug) – a Chinese state-sponsored espionage group. The attackers exploited vulnerabilities in Notepad++\u2019s hosting infrastructure to distribute a new backdoor called Chrysalis to carefully selected targets.<\/span><\/p>\n

 <\/p>\n

Lotus Blossom profile: Asia\u2019s persistent cyber spy<\/b><\/span><\/h2>\n

Lotus Blossom, also known by several other names such as Billbug (Symantec), Spring Dragon (Kaspersky), Thrip, Lotus Panda, and Bronze Elgin, is a Chinese APT group with a history of attacks spanning more than a decade. The group was first publicly identified in 2015 by Palo Alto Networks when it released a report on \u201cOperation Lotus Blossom\u201d, linking the group to more than 50 attacks over the preceding three years. Since then, Lotus Blossom has become one of Asia\u2019s most persistent cyber-espionage actors.<\/span><\/p>\n

The group primarily operates in Southeast Asia, including Vietnam, the Philippines, Thailand, Cambodia, Malaysia, Indonesia, Hong Kong, and Taiwan. Its targets typically include government agencies, military organizations, telecommunications companies, aviation and transportation sectors, media organizations, and critical infrastructure – sectors closely tied to China\u2019s strategic interests, particularly regarding the South China Sea. The group\u2019s attack techniques have evolved from early basic phishing campaigns to more sophisticated methods, including exploiting public applications and leveraging legitimate cloud services as C2 (Command & Control) servers.<\/span><\/p>\n

 <\/p>\n

Timeline of the attack: From initial access to discovery<\/b><\/span><\/h2>\n

The Notepad++ attack began in June 2025, when Lotus Blossom, or actors working on their behalf, secretly infiltrated the shared hosting infrastructure used by Notepad++. It is important to note that the attackers did not exploit any vulnerabilities in the Notepad++ source code itself. Instead, they compromised the hosting provider layer, the physical servers that store update files.<\/span><\/p>\n

Over the six months from June to December 2025, the attackers used the compromised access to intercept and redirect update traffic from selected Notepad++ users. When Windows users ran the Notepad++ application and triggered the WinGUp updater (the automatic update utility), instead of receiving a legitimate update from notepad-plus-plus.org, some users were redirected to attacker-controlled servers to download update.exe, an NSIS (Nullsoft Scriptable Install System) installer containing malicious code.<\/span><\/p>\n

Although the hosting infrastructure was restored in September 2025 after the provider applied kernel and firmware updates, the attackers maintained access through stolen internal service credentials. As a result, they continued redirecting Notepad++ traffic until December 2, 2025, when the final access was terminated.<\/span><\/p>\n

 <\/p>\n

Chrysalis backdoor: The core tool of the campaign<\/b><\/span><\/h2>\n

The main payload delivered through this access vector was a new backdoor named \u201cChrysalis\u201d by Rapid7 – an appropriate name given the attackers\u2019 intent to create persistent access channels that could survive long periods of time. Chrysalis is not a temporary tool; rather, it clearly represents a carefully developed, full-featured backdoor.<\/span><\/p>\n

Chrysalis contains a wide range of powerful command-and-control capabilities, indicating it was designed for long-term use:<\/span><\/p>\n