Chinese Hackers Were Inside Notepad++ For Much of 2025, But Only “Select Targets” Received Compromised Software Updates

The bad news is that there has been another major supply chain attack by advanced nation-state threat actors, but the good news is that it is another one in which the vast majority of potential victims were ignored in favor of select espionage targets. A group of Chinese hackers is thought to be behind the breach of Notepad++, but the malicious software updates they pushed out to compromise victims were sent only to what appears to be mostly East Asia-based organizations of interest to their government.

Notepad++’s bad software updates only sent to specific targets

Though the Chinese hackers appear to have compromised Notepad++’s host server and had the ability to push malicious software updates to all of its users, they did not do so for the vast majority. They instead appeared to want to maintain a “low and slow” approach to get at targets of espionage interest, managing to maintain the breach window from sometime in June of last year to December 2 (with a brief interruption in September due to a host server software update).

Specific victims have not been named, but security researchers handling the follow-up say that at least three known organizations in East Asia were compromised by the malicious Notepad++ updates. Kaspersky researchers believe that additional organizations in Australia, Vietnam, El Salvador and the Philippines were targeted by the Chinese hackers.

Indicators of compromise were somewhat hard to come by. Notepad++’s former host (the one compromised and now no longer their provider) said that they could not find any, nor could the Notepad++ team after reviewing some 400 GB of server logs. Other security researchers have since found both file and network indicators.

The MO fits prior supply chain attacks by advanced threat actors, including the notorious Solarwinds breach; indiscriminately compromising everyone downstream of the breached provider would likely raise alarms much faster. Even for-profit cyber criminals that might benefit from racking up lots of victims more quickly are taking a slower and more targeted approach, as was seen in 2025 campaigns by the likes of Scattered Spider and Lapsus$.

Chinese hackers are a lesser-known group that focuses on Asia and Central America

Though the attackers were able to compromise the Notepad++ host server, they seemed to allow the vast majority of legitimate software updates to pass through. Only specific targets received malicious updates during the breach window. That window formally closed with the Notepad++ version 8.8.9 release in early December, but the Chinese hackers lost access for a short period in September as well when a server kernel and firmware update was taking place (they soon reestablished access, however, using internal credentials they had previously stolen).

There are so many teams of state-sponsored Chinese hackers that there are those one might have never heard of, yet are still considered leading threats. The suspected culprits here, “Raspberry Typhoon” or “Lotus Blossom” depending on the security outfit, are a good example of this. They haven’t made quite the same waves as some of their other “Typhoon” cousins, but have been in operation since at least 2009 and are considered highly skilled. This was demonstrated here via their use of an entirely new backdoor being called “Chrysalis,” which security researchers are still studying.

Supply chain attacks are frightening because of the potential amount of follow-on victims, but in practice we generally see they are used instead to go after very specific organizations of interest in a limited way. One major lesson to be taken from this is that assumption of security because something came from a supposed known secure domain is a practice that is rapidly falling out of date. Behavior, such as suspicious connection requests from a notepad tool, must be more closely and carefully monitored.