Lotus Blossom Caught Poisoning Notepad++ Updates in a Stealthy Supply-Chain Attack

Listen to this Post

Featured Image

Introduction

A silent but highly targeted cyber-espionage campaign has surfaced in Southeast Asia, revealing how trusted software can become a weapon overnight. Between June and December 2025, a sophisticated threat actor abused a popular developer tool to infiltrate systems belonging to administrators and technical staff. The operation highlights once again that supply-chain attacks remain one of the most dangerous and hardest-to-detect tactics in modern cybersecurity.

the Original Report

Between mid-2025 and the end of the year, the advanced persistent threat group known as Lotus Blossom conducted a covert supply-chain attack involving Notepad++, a widely used text editor among developers and system administrators. The attackers compromised components associated with the software’s ecosystem and injected malicious payloads using DLL side-loading techniques combined with Lua scripting.

The campaign primarily targeted system administrators across Southeast Asia, a group with elevated privileges and access to sensitive infrastructure. Once the manipulated binaries were executed, the attack chain deployed a custom backdoor known as Chrysalis, allowing long-term persistence and remote control over infected machines. In parallel, the attackers also installed Cobalt Strike beacons, enabling command-and-control communications and lateral movement inside compromised networks.

The use of DLL side-loading allowed the malware to blend in with legitimate application behavior, significantly reducing the chances of early detection. Lua scripts were leveraged to execute additional logic and maintain flexibility, suggesting a well-planned operation rather than opportunistic malware distribution. The campaign remained largely under the radar during its active months, indicating strong operational security and a clear intelligence-gathering objective rather than financial gain.

Overall, the report paints a picture of a disciplined espionage-focused threat actor abusing trust in widely used software to reach high-value targets without triggering immediate alarms.

What Undercode Say:

This operation is a textbook example of why supply-chain attacks are becoming the preferred method for advanced threat actors. Instead of fighting hardened perimeter defenses, Lotus Blossom went after trust itself—trust in everyday tools that administrators rely on. By focusing on Notepad++, the attackers selected software that is lightweight, frequently updated, and rarely scrutinized from a security standpoint.

Targeting system administrators in Southeast Asia is also a strategic choice. These users often manage government, telecom, and enterprise infrastructure, meaning a single compromise can unlock access to entire environments. The deployment of both a custom backdoor and Cobalt Strike shows a dual strategy: persistence for long-term intelligence collection and flexibility for active intrusion when needed.

The technical choices matter here. DLL side-loading remains effective because it exploits legitimate Windows behavior, while Lua scripting provides modularity and rapid adaptation. This suggests the attackers expected defenders to eventually notice something suspicious and wanted the ability to quickly change tactics.

From a defensive perspective, this incident exposes a persistent blind spot. Many organizations still treat developer tools as inherently safe and exclude them from strict monitoring. That assumption no longer holds. Application allow-listing, behavioral monitoring, and verification of software components—not just installers—are now essential.

More broadly, this campaign reinforces a harsh reality: even open-source or widely trusted software can become a delivery vehicle for state-aligned espionage. Detection is no longer just about spotting known malware signatures, but about understanding how legitimate software should behave—and catching it when it doesn’t.

Fact Checker Results

The reported attack timeframe aligns with observed APT activity patterns in Southeast Asia.
DLL side-loading and Cobalt Strike are well-documented techniques used by advanced threat actors.
No evidence currently suggests random or financially motivated targeting, supporting an espionage motive.

Prediction

Supply-chain attacks against developer and admin tools will increase throughout 2026, especially in Asia-Pacific regions. Threat actors are likely to expand beyond text editors into monitoring and automation software, forcing defenders to rethink what “trusted” software really means.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: x.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon