Nation-State Actors Exploit Notepad++ Supply Chain

A state-sponsored threat group known as Lotus Blossom compromised the official hosting infrastructure for Notepad++ between June and December 2025. The attackers hijacked traffic to the update server, allowing them to selectively target specific users, primarily in Southeast Asia across government, telecommunications and critical infrastructure sectors. Two infection chains were identified - one using Lua script injection to deliver Cobalt Strike and another using DLL side-loading to deploy a Chrysalis backdoor. The campaign affected additional sectors in South America, US, Europe and Southeast Asia including cloud hosting, energy, financial, government, manufacturing and software development. The sophisticated supply chain attack leveraged insufficient verification controls in older versions of the Notepad++ updater.

Pulse ID: 699329ab4cfd86feb5b85024
Pulse Link: https://otx.alienvault.com/pulse/699329ab4cfd86feb5b85024
Pulse Author: AlienVault
Created: 2026-02-16 14:28:59

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #Cloud #CobaltStrike #CyberSecurity #Europe #Government #InfoSec #LUA #Manufacturing #Notepad #OTX #OpenThreatExchange #SouthAmerica #SupplyChain #Telecom #Telecommunication #bot #AlienVault