A cyberespionage group with links to the Chinese Government broke into the systems behind a popular code-editing platform and secretly spied on users for about six months.
The Chinese Advanced Persistent Threat (APT) group named “Lotus Blossom” gained access to the servers that handle updates for Notepad++, a free, open-source, text editor that is widely used for basic coding and editing config files on Windows computers.
According to cybersecurity researchers and Notepad++’s own maintainer, this started around June 2025 and lasted until around December 2025.
APT groups – highly skilled, well-organised hacking teams (often backed by a government or nation-state) that carry out sophisticated, long-term cyberattacks – target critical infrastructure and high value organisations and focus on staying hidden inside networks for months (or even years) whilst attempting to “take over” the whole system/network, rather than focusing on selling stolen data or holding systems for ransom like common hacking groups.
In the Notepad++ hijack the APT group compromised the company that ran the website and update servers. Because older versions of Notepad++ didn’t properly check if updates were really coming from the official source, the attackers could trick the software’s built-in updater into downloading fake “update” spyware from servers they controlled.
Only a handful of specific users got these bad updates, and the targets were in sensitive areas like government agencies, telecom companies, critical infrastructure such as power grids, aviation, and media organisations, mostly in Southeast Asia and Central America.
The malicious updates delivered a custom piece of spyware, a new backdoor tool nicknamed Chrysalis, that once on the victim’s computer let the hackers check what kind of system it was, stay hidden and keep access over time, and run commands remotely.
Researchers said there was no sign of massive data theft, and the attackers lost direct control of the server in September 2025 after the host applied some fixes, but kept using stolen login credentials to redirect updates until early December.
Notepad++’s maintainer released a software update on December 9, 2025, to fix the weak update-checking issue, and the project moved to a more secure hosting setup.
A spokesperson for the Chinese Embassy in Washington denied the Lotus Blossom group was linked to China, Reuters reported.
“China opposes and fights all forms of hacking in accordance with the law. We do not encourage, support or connive at cyber attacks. We reject the relevant parties’ irresponsible assertion that the Chinese government sponsored hacking activity when it had not presented any factual evidence,” it said.
Header image credit: Mikhail Nilov (Pexels).
