The Notepad++ website was hijacked by 'malicious actors' last year and security researchers are picking through the wreckage

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Email

Share this article

0

Join the conversation

Follow us

Add us as a preferred source on Google

Newsletter

Get the PC Gamer Newsletter

Keep up to date with the most important stories and the best deals, as picked by the PC Gamer team.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

---

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

---

Want to add more newsletters?

Every Friday

GamesRadar+

Your weekly update on everything you could ever want to know about the games you already love, games we know you're going to love in the near future, and tales from the communities that surround them.

Signup +

Every Thursday

GTA 6 O'clock

Our special GTA 6 newsletter, with breaking news, insider info, and rumor analysis from the award-winning GTA 6 O'clock experts.

Signup +

Every Friday

Knowledge

From the creators of Edge: A weekly videogame industry newsletter with analysis from expert writers, guidance from professionals, and insight into what's on the horizon.

Signup +

Every Thursday

The Setup

Hardware nerds unite, sign up to our free tech newsletter for a weekly digest of the hottest new tech, the latest gadgets on the test bench, and much more.

Signup +

Every Wednesday

Switch 2 Spotlight

Sign up to our new Switch 2 newsletter, where we bring you the latest talking points on Nintendo's new console each week, bring you up to date on the news, and recommend what games to play.

Signup +

Every Saturday

The Watchlist

Subscribe for a weekly digest of the movie and TV news that matters, direct to your inbox. From first-look trailers, interviews, reviews and explainers, we've got you covered.

Signup +

Once a month

SFX

Get sneak previews, exclusive competitions and details of special events each month!

Signup +

---

An account already exists for this email address, please log in.

Subscribe to our newsletter

Popular open source text editor Notepad++ experienced a significant security breach last year, and now its developer has given an update regarding the attack.

It's believed that, between June and November 10/December 2, 2025 (independent security experts and its hosting provider disagree on the exact timings), a shared hosting server was compromised, allowing attackers to redirect Notepad++ update traffic to malicious servers.

"According to the analysis provided by security experts, the attack involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org." says a statement on the now-secure website.

"The exact technical mechanism remains under investigation, though the compromise occurred at the hosting provider level rather than through vulnerabilities in Notepad++ code itself."

The update goes on to say that "Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign."

According to cybersecurity firm Rapid7, the attack can be contributed to Chinese APT group Lotus Blossom, a threat actor that has been known to perform "targeted espionage campaigns" primarily impacting organisations across Southeast Asia and Central America. The custom backdoor used in the attack has since been dubbed "Chrysalis", and explaining its methodology is where I start to get lost, so I'll quote directly from the Rapid7 report instead:

"Its wide array of capabilities indicates it is a sophisticated and permanent tool, not a simple throwaway utility. It uses legitimate binaries to sideload a crafted DLL with a generic name, which makes simple filename-based detection unreliable.

"It relies on custom API hashing in both the loader and the main module, each with its own resolution logic. This is paired with layered obfuscation and a fairly structured approach to C2 communication."

Of course, of course. However, Rapid7's main concern appears to be what Chrysalis, and other tools and methods used in the attack, says about Lotus Blossom's newfound capabilities:

"While the group continues to rely on proven techniques like DLL sideloading and service persistence, their multi-layered shellcode loader and integration of undocumented system calls (NtQuerySystemInformation) mark a clear shift toward more resilient and stealth tradecraft," says the firm.

"This demonstrates that Lotus Blossom is actively updating their playbook to stay ahead of modern detection."

Gulp. So, while the Notepad++ developer has since switched to a different hosting provider (with what are described as "significantly stronger security practices"), it seems that Lotus Blossom is gaining strength—and some hosting providers are falling victim to its modern methods. Sleep tight, website.

Best PC gaming kit 2026

1. Best gaming chair: Secretlab Titan Evo

2. Best gaming desk: Secretlab Magnus Pro XL

3. Best gaming headset: Razer BlackShark V3

4. Best gaming keyboard: Asus ROG Strix Scope II 96 Wireless

5. Best gaming mouse: Razer DeathAdder V4 Pro

6. Best PC controller: