• Executive Summary Between June and December 2025, the official hosting infrastructure for the text editor Notepad++ was compromised by a state-sponsored threat group known as Lotus Blossom. • The attackers breached the shared hosting provider’s environment. • This allowed the attackers to intercept and redirect traffic destined for the Notepad++ update server. • This infrastructure-level hijack enabled the attackers to selectively target specific users. • The targets were primarily located in Southeast Asia across government, telecommunications and critical infrastructure sectors. • Attackers served these targets malicious update manifests instead of legitimate software updates.
Article Summaries:
- Nation‑state actors, identified as Lotus Blossom, compromised the hosting infrastructure for Notepad++ between June and December 2025. By breaching the shared hosting provider, the group redirected traffic to the Notepad++ update server, enabling selective delivery of malicious update manifests to targeted users-primarily in Southeast Asia but also in South America, the U.S., and Europe. The campaign used a Lua‑script injection variant that installed Cobalt Strike beacons and a Chrysalis backdoor via DLL side‑loading. Affected sectors include cloud hosting, energy, finance, government, manufacturing, and software development. Palo Alto Networks’ security products provide URL filtering, DNS protection, WildFire analysis, and XDR capabilities to detect and mitigate this supply‑chain threat.
Sources: