Notepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group

In-Depth Analysis

The Notepad++ hosting breach occurred due to vulnerabilities in the WinGUP updater, specifically the lack of integrity and authenticity validation of downloaded update files in older versions (before 8.8.9). This allowed attackers to intercept traffic to `notepad-plus-plus.org?ref=yanuki.com` and redirect it to their own servers, delivering compromised updates.

Kaspersky observed three distinct infection chains used by the attackers between July and October 2025:

1. **Chain #1:** Delivered a malicious Notepad++ update via `45.76.155[.]202/update/update.exe?ref=yanuki.com`, leveraging DLL side-loading with a ProShow binary to deploy Metasploit and Cobalt Strike payloads. 2. **Chain #2:** Continued using the same malicious update URL but with slight modifications to collect more system information and deliver different payloads, including a Lua script to execute shellcode. 3. **Chain #3:** Used the distribution URL `45.32.144[.]255/update/update.exe?ref=yanuki.com`, following a similar sequence of events as documented by Rapid7.

Starting in mid-October 2025, the attackers used multiple URLs (`95.179.213[.]0/update/update.exe?ref=yanuki.com`, `95.179.213[.]0/update/install.exe?ref=yanuki.com`, `95.179.213[.]0/update/AutoUpdater.exe?ref=yanuki.com`) to launch a combination of execution chains #2 and #3.

**How to Prepare:**

• Organizations should ensure they are using the latest version of Notepad++ (8.8.9 or later).
• Monitor network requests from `gup.exe` for connections to unknown domains.
• Check for unexpected processes spawned by the installer (`update.exe` or `AutoUpdater.exe`) in the user TEMP folder.
• Verify the legitimacy of the installed Notepad++ version.
• Consider blocking internet access from `notepad-plus-plus.org?ref=yanuki.com` or the `gup.exe` and `notepad++.exe` processes if robust monitoring is in place.

**Who This Affects Most:** This attack primarily targeted organizations with interests in East Asia, including telecommunications, financial services, government, and IT service providers.

Read source article

FAQ

Takeaways

• Supply chain attacks are a significant threat, particularly those targeting software update mechanisms.
• Even widely used and trusted software like Notepad++ can be vulnerable.
• Organizations should implement robust security measures to protect against these types of attacks, including verifying software integrity and monitoring network traffic.
• Staying updated with the latest software versions and security patches is crucial.

Discussion

Do you think this trend of supply chain attacks will continue? What other steps can organizations take to protect themselves? Share this article with others who need to stay ahead of this trend!

Sources

Disclaimer

This article was compiled by Yanuki using publicly available data and trending information. The content may summarize or reference third-party sources that have not been independently verified. While we aim to provide timely and accurate insights, the information presented may be incomplete or outdated.

All content is provided for general informational purposes only and does not constitute financial, legal, or professional advice. Yanuki makes no representations or warranties regarding the reliability or completeness of the information.

This article may include links to external sources for further context. These links are provided for convenience only and do not imply endorsement.

Always do your own research (DYOR) before making any decisions based on the information presented.