China-based espionage group compromised Notepad++ for six months | CyberScoop<\/title> <meta name=\"description\" content=\"The Chinese APT group Lotus Blossom intruded the tool\u2019s internal systems to snoop on a limited set of users\u2019 activities, according to researchers.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/china-espionage-group-lotus-blossom-attacks-notepad\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"China-based espionage group compromised Notepad++ for six months\"> <meta property=\"og:description\" content=\"The Chinese APT group Lotus Blossom intruded the tool\u2019s internal systems to snoop on a limited set of users\u2019 activities, according to researchers.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/china-espionage-group-lotus-blossom-attacks-notepad\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-02-02T20:48:00+00:00\"> <meta property=\"article:modified_time\" content=\"2026-02-02T20:48:03+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/china-based-espionage-group-compromised-notepad-for-six-months-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1286\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1765909325g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1768841770g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1767808656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/87642\"><meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=87642\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fchina-espionage-group-lotus-blossom-attacks-notepad%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fchina-espionage-group-lotus-blossom-attacks-notepad%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-87642 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/china-espionage-group-lotus-blossom-attacks-notepad\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.296012269939\">\n<div class=\"single-article__header-content\" readability=\"35.458333333333\">\n<p> The Chinese APT group Lotus Blossom intruded the tool\u2019s internal systems to snoop on a limited set of users\u2019 activities, according to researchers. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/87642\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"429\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/china-based-espionage-group-compromised-notepad-for-six-months.jpg?resize=640%2C429&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/china-based-espionage-group-compromised-notepad-for-six-months-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/china-based-espionage-group-compromised-notepad-for-six-months-2.jpg?resize=300,201 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/china-based-espionage-group-compromised-notepad-for-six-months-2.jpg?resize=768,514 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/china-based-espionage-group-compromised-notepad-for-six-months-2.jpg?resize=1024,686 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/china-based-espionage-group-compromised-notepad-for-six-months-2.jpg?resize=1536,1029 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/china-based-espionage-group-compromised-notepad-for-six-months-2.jpg?resize=600,402 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/china-based-espionage-group-compromised-notepad-for-six-months-2.jpg?resize=251,168 251w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/china-based-espionage-group-compromised-notepad-for-six-months-2.jpg?resize=503,337 503w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/china-based-espionage-group-compromised-notepad-for-six-months-2.jpg?resize=1008,675 1008w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/china-based-espionage-group-compromised-notepad-for-six-months-2.jpg?resize=1259,843 1259w\" sizes=\"(max-width: 1008px) 100vw, 1008px\"><figcaption> Members of the Peoples Liberation Army band leave after the closing session of the Chinese People’s Political Consultative Conference, or CPPCC, at the Great Hall of the People on March 10, 2025 in Beijing. (Photo by Kevin Frayer\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"47.757156264664\"><body readability=\"98.036977491961\"><\/p>\n<p>A China-based threat group operating for almost two decades broke into the internal systems of Notepad++, an extremely popular open source-code editor, to <a href=\"https:\/\/www.rapid7.com\/blog\/post\/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit\/\">spy on a select group of targeted users<\/a>, researchers at Rapid7 said Monday.<\/p>\n<p>Don Ho, the author and maintainer of the open-source tool, said independent security researchers confirmed a China state-sponsored group <a href=\"https:\/\/notepad-plus-plus.org\/news\/hijacked-incident-info-update\/\">compromised Notepad++\u2019s server for a six-month period<\/a> starting in June 2025. Ho, who did not respond to a request for comment, released a <a href=\"https:\/\/notepad-plus-plus.org\/news\/v889-released\/\">software update<\/a> Dec. 9 claiming to address authentication weaknesses that allowed attackers to hijack the Notepad++ updater client and user traffic.<\/p>\n<p>The Chinese APT group Lotus Blossom, which has been active since at least 2009, gained recurring access and deployed various payloads \u2014 including a custom backdoor \u2014 to snoop on some users\u2019 activities, according to Rapid7. The espionage group is also known as Billbug, Thrip and Raspberry Typhoon. <\/p>\n<p>\u201cWe have no evidence of bulk data exfiltration,\u201d Christiaan Beek, senior director of threat intelligence and analytics at Rapid7, told CyberScoop. \u201cThe tooling observed is consistent with post-compromise reconnaissance, command execution, and selective data access, rather than broad data harvesting.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The attacks, which showcased resilience and stealth tradecraft, did not result in a mass compromise of all Notepad++ users, but rather a limited number of affected environments, according to Rapid7.<\/p>\n<p>\u201cPost-compromise behavior included system profiling, persistence mechanisms, and remote command execution consistent with long-term espionage access rather than immediate disruption or monetization,\u201d Beek added. \u201cThe objective appears aligned with strategic intelligence collection, consistent with Lotus Blossom\u2019s historical operations.\u201d<\/p>\n<p>The former hosting provider for Notepad++ said the attackers lost access to the tool\u2019s server on Sept. 2, but maintained legitimate credentials to internal services until Dec. 2, which allowed the attackers to redirect Notepad++ update traffic to malicious servers, Ho said in a blog post. <\/p>\n<p>Ho did not say when or how they first became aware of unauthorized access to Notepad++\u2019s systems. The website, which attackers targeted to exploit \u201cinsufficient update verification controls that existed in older versions of Notepad++,\u201d was moved to a new hosting provider with stronger security practices, Ho said in the blog post.<\/p>\n<p>Beek confirmed that Lotus Blossom\u2019s unauthorized access appears to have been disrupted, noting that its known infrastructure linked to the months-long campaign is no longer active. Some security researchers started surfacing reports of incidents linked to Notepad++ in November.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>While Notepad++\u2019s internal system improvements appear to have halted the malicious activity, users running older versions of the software should still update as a precaution, Beek said. \u201cWe are not seeing ongoing active exploitation tied to this campaign.\u201d<\/p>\n<p>Lotus Blossom targeted software that provided potential access to many sensitive targets. The Windows-based tool, which was first released in 2003 and typically used as an alternative to Windows Notepad, is widely used by developers, IT administrators, engineers and analysts, including some working in government, telecom, critical infrastructure and media, Beek said.<\/p>\n<p>Many security researchers, analysts and users have <a href=\"https:\/\/bsky.app\/search?q=notepad%2B%2B\">taken their concerns to social media<\/a> to warn about the potential risk of the long-term intrusion and share worries about the ultimate impact of the campaign.<\/p>\n<p>\u201cObserved activity suggests selective, targeted follow-on exploitation,\u201d Beek added, \u201cnot opportunistic mass infection.\u201d<\/p>\n<p> <\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.4281663516068\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/02\/china-based-espionage-group-compromised-notepad-for-six-months-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/china-espionage-group-lotus-blossom-attacks-notepad\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>China-based espionage group compromised Notepad++ for six months | CyberScoop<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[436,613,271,2973,1753,282,440,624,281,5897,5898,3353,256,288,5899],"tags":[245,618,277,2975,1756,286,444,629,285,5900,5901,3357,262,294,5902],"class_list":["post-8320","post","type-post","status-publish","format-standard","hentry","category-apt","category-authentication","category-china","category-credential-theft","category-cyber-espionage","category-cybercrime","category-data-breaches","category-espionage","category-hacking","category-lotus-blossom","category-notepad","category-rapid7","category-research","category-threats","category-update","tag-apt","tag-authentication","tag-china","tag-credential-theft","tag-cyber-espionage","tag-cybercrime","tag-data-breaches","tag-espionage","tag-hacking","tag-lotus-blossom","tag-notepad","tag-rapid7","tag-research","tag-threats","tag-update"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/apt\/\" rel=\"category tag\">apt<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/authentication\/\" rel=\"category tag\">authentication<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/china\/\" rel=\"category tag\">China<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/credential-theft\/\" rel=\"category tag\">credential theft<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cyber-espionage\/\" rel=\"category tag\">cyber espionage<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/data-breaches\/\" rel=\"category tag\">data breaches<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/espionage\/\" rel=\"category tag\">espionage<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/hacking\/\" rel=\"category tag\">hacking<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/lotus-blossom\/\" rel=\"category tag\">Lotus Blossom<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/notepad\/\" rel=\"category tag\">Notepad++<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/rapid7\/\" rel=\"category tag\">Rapid7<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/update\/\" rel=\"category tag\">update<\/a>","tag_info":"update","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8320","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8320"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8320\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8320"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8320"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8320"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8320,"date":"2026-02-02T14:48:00","date_gmt":"2026-02-02T20:48:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=87642"},"modified":"2026-02-02T14:48:00","modified_gmt":"2026-02-02T20:48:00","slug":"china-based-espionage-group-compromised-notepad-for-six-months","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/02\/02\/china-based-espionage-group-compromised-notepad-for-six-months\/","title":{"rendered":"China-based espionage group compromised Notepad++ for six months"},"content":{"rendered":"