Notepad++ hijacking blamed on Chinese Lotus Blossom crew behind Chrysalis backdoor

Security researchers have attributed the Notepad++ update hijacking to a Chinese government-linked espionage crew called Lotus Blossom (aka Lotus Panda, Billbug), which abused weaknesses in the update infrastructure to gain a foothold in high-value targets by delivering a newly identified backdoor dubbed Chrysalis.

Early Monday, the text editor's project author said a suspected Chinese state-sponsored group somehow compromised a shared hosting server and selectively redirected some update traffic to an attacker-controlled site where victims downloaded a poisoned version of what appeared to be a legit software update.

Later on Monday, Rapid7's managed detection and response team attributed the attack "with moderate confidence" to the Chinese advanced persistent threat (APT) group they call Lotus Blossom. 

This group typically conducts targeted cyber-espionage campaigns against organizations in Southeast Asia - and more recently Central America - with a focus on government, telecom, aviation, critical infrastructure, and media sectors.

According to the threat hunters ...