Nation-State Actors Exploit Notepad++ Supply Chain
Essential information
- Published
- 16/02/2026 14:28
- Modified
- 17/02/2026 16:08
- Tags
- 2026-02-12 2026-02-16 chrysalis chrysalis backdoor cobalt strike dll sideloading infrastructure compromise infrastructure hijacking notepad southeast asia supply-chain
- Related entities
- 20 observables, 1 intrusion sets (apt), 1 techniques (mitre), 2 malware
Description
A state-sponsored threat group known as Lotus Blossom compromised the official hosting infrastructure for Notepad++ between June and December 2025. The attackers hijacked traffic to the update server, allowing them to selectively target specific users, primarily in Southeast Asia across government, telecommunications and critical infrastructure sectors. Two infection chains were identified - one using Lua script injection to deliver Cobalt Strike and another using DLL side-loading to deploy a Chrysalis backdoor. The campaign affected additional sectors in South America, US, Europe and Southeast Asia including cloud hosting, energy, financial, government, manufacturing and software development. The sophisticated supply chain attack leveraged insufficient verification controls in older versions of the Notepad++ updater.