Cyber Threat Actor: Lotus Blossom
| Actor Type | Location | Known Incidents |
Nation State
|
China
|
1 incident |
|---|
Profile
Lotus Blossom, also tracked under the alias Billbug, is a threat actor publicly identified as a Chinese state‑sponsored group. The actor’s location is attributed to China, and it has been linked to operations that align with strategic interests of the Chinese government. Public reporting associates Lotus Blossom with the intrusion that compromised the Notepad++ software update infrastructure in June 2025. This association establishes the group’s use of aliases and its connection to state‑backed activity.
In the Notepad++ incident, Lotus Blossom gained initial access by seizing control of the shared hosting provider that served the project’s update servers, a move facilitated by the theft of legitimate credentials. With those credentials the actors redirected update traffic to malicious servers under their control, allowing them to push a custom backdoor named Chrysalis alongside established tools such as Cobalt Strike and Metasploit payloads. The malicious updates were designed to blend with legitimate developer activity, which helped them evade detection by many endpoint detection and response tools that rely on behavioral baselines. Despite the hosting provider’s scheduled maintenance, the stolen credentials enabled the attackers to maintain traffic interception for several months, demonstrating a persistence mechanism rooted in credential abuse. The group’s tooling style in this operation combined a bespoke implant with widely available post‑exploitation frameworks, indicating a flexible approach to payload delivery.
The Notepad++ supply chain compromise represents a notable campaign attributed to Lotus Blossom/Billbug, highlighting the actor’s capability to exploit trusted software distribution channels to reach a broad user base. Following the discovery, the Notepad++ project migrated to a new hosting provider and strengthened its updater to enforce certificate and signature verification for future releases, directly addressing the weaknesses exploited in the attack. This operation serves as a concrete example of Lotus Blossom’s use of supply chain tactics, credential theft, and mixed malware deployment to achieve its objectives. No additional sectors, regions, or motivational details are explicitly stated in the available sources, so the profile remains confined to the confirmed facts presented.
