A shocking revelation has emerged, pointing fingers at a Chinese espionage group, Lotus Blossom, for hijacking the Notepad++ update. But wait, there's more to this story than meets the eye.
Security experts believe that this notorious group, also known as Lotus Panda or Billbug, exploited vulnerabilities in the update process to infiltrate high-profile targets. The attackers delivered a newly discovered backdoor, Chrysalis, which has raised serious concerns.
On Monday, the Notepad++ project author disclosed a suspected Chinese state-sponsored attack. The group compromised a shared server and manipulated update traffic, tricking victims into downloading a malicious software update. Rapid7's detection team later confirmed this attack with moderate confidence, linking it to the Chinese APT group, Lotus Blossom.
This group's usual targets include organizations in Southeast Asia and, more recently, Central America, focusing on government, telecom, aviation, critical infrastructure, and media sectors. And here's where it gets controversial—the same group is believed to have been behind the Notepad++ update hijack.
The attackers used this opportunity to distribute Chrysalis, a previously unidentified backdoor. Don Ho, the Notepad++ author, was unavailable for comment on Rapid7's findings. The exact method of the attackers' initial access remains a mystery, but once inside, they manipulated the update process to deliver a trojanized NSIS installer, a common tactic among Chinese APT groups.
The installer included a disguised executable, BluetoothService.exe, which was actually a renamed Bitdefender Submission Wizard used for DLL sideloading. It also contained an encrypted shellcode file and a malicious DLL. The shellcode, identified as Chrysalis, is a sophisticated backdoor with a wide range of capabilities, according to Rapid7.
The attackers used legitimate binaries to sideload a malicious DLL, ensuring it evaded basic detection methods. They also employed custom API hashing and multiple obfuscation layers to hide their tracks, along with a structured C2 communication approach.
This incident is just one in a series of China-linked cyber-espionage activities. Other notable cases include using Maduro's capture as a phishing lure and the alleged spying on UK prime ministers' aides. But the question remains, how many victims fell for this Notepad++ update deception? Rapid7 is yet to determine the full extent, but they have provided a comprehensive list of indicators of compromise.
The attribution to Lotus Blossom is based on similarities with previous research by Symantec, including the use of a renamed Bitdefender tool for sideloading a specific file. Rapid7's analysis suggests a strong connection, but the mystery continues—how can we prevent such attacks in the future? Share your thoughts in the comments below!
