Today, Immersive's Container 7 Research Team have released a lab covering the latest intrusion abusing the Notepad++ update pipeline by Lotus Blossom.
In January 2026, threat researchers at Rapid7 detailed a sophisticated supply chain attack targeting the Notepad++ update mechanism. Between July and October 2025, attackers compromised the project’s distribution infrastructure to deliver a custom, undocumented backdoor dubbed Chrysalis. By intercepting update requests, the threat actor distributed malicious NSIS installers to a targeted set of victims across Southeast Asia and Australia.
What is this about?Supply chain compromises represent one of the most dangerous threat vectors today. In this campaign, the Chinese state-sponsored group Lotus Blossom (also known as Billbug or Thrip) hijacked a trusted software update pipeline. The attack involves complex DLL sideloading techniques—abusing a renamed Bitdefender binary to execute a multi-layered encrypted payload. Once the Chrysalis backdoor is active, it provides the attackers with persistent, feature-rich remote access to the victim's environment.
Why is this critical for you and your team?As organizations rely on legitimate third-party utilities like Notepad++, trust in the update process is paramount. This intrusion highlights how state-sponsored actors can weaponize that trust to bypass perimeter defences. Understanding the Chrysalis infection chain—from the initial NSIS installer to the triple-layer decryption of its C2 configuration—is vital for detecting similar "living-off-the-land" and sideloading tactics in your own network.
If your team manages software deployments or monitors developer environments, you must be cognisant of how attackers leverage legitimate, signed binaries to mask malicious behaviour. This lab provides a deep dive into the specific obfuscation and persistence strategies used by one of the region's most persistent threat groups.
Who is the content for?
- Security Analysts
- Threat Researchers
Here is a link to the lab:
Immerser
