Between June and December 2025, a significant security breach affected the Notepad++ text editor, attributed to a state-sponsored group known as Lotus Blossom. The attackers compromised the hosting infrastructure, allowing them to intercept and redirect update requests to malicious servers. This attack specifically targeted users in Southeast Asia, focusing on sectors like government and telecommunications. Instead of legitimate updates, victims downloaded harmful software that exploited Notepad++’s update mechanism. The attackers employed various techniques, including DLL sideloading and Lua script injections, to deliver Cobalt Strike beacon malware and a backdoor called Chrysalis. The exploitation relied on flaws in older versions of the Notepad++ updater, enabling the attack chain to initiate from a seemingly benign update process. This multi-faceted approach allowed attackers to gain extensive control over compromised systems while evading detection through advanced evasion techniques. Notepad++ has since responded by migrating to a more secure hosting provider and enhancing its update verification processes. Users are advised to upgrade to version 8.9.1 to benefit from these security improvements. The article also highlights ongoing monitoring efforts, with recommendations for threat hunting and detection strategies to identify any residual malicious activity.