Lotus Blossom — Threat Actor Profile, Campaigns & Targets

Threat entity extracted from intelligence sources

Frequency
12
occurrences
First Seen
February 2, 2026
Last Seen
May 6, 2026

Lotus Blossom is a apt_group tracked across 3 threat clusters and 12 intelligence report mentions on ThreatCluster. First observed February 2, 2026; most recent activity May 6, 2026.

Related Threat Clusters

  • Chinese State Actor Compromises Notepad++ Update Infrastructure

    Between June and December 2025, the Chinese state group Lotus Blossom compromised the shared hosting provider for Notepad++, redirecting update traffic to deliver malicious installers to targeted users. The attackers…

    2 articles · Updated March 19, 2026
  • Supply Chain Attack Compromises DAEMON Tools with Malicious Backdoor

    A supply chain attack has compromised the DAEMON Tools software installers, which began on April 8, 2026. Kaspersky identified that these trojanized installers, signed with legitimate digital certificates, have affected…

    26 articles · Updated May 5, 2026
  • State-Sponsored Hackers Compromise Notepad++ Update Mechanism

    Notepad++ has been hijacked by state-sponsored hackers, specifically a likely Chinese threat actor. The attackers compromised the software's update mechanism between June and December 2025, allowing them to redirect…

    100 articles · Updated February 2, 2026

Recent Intelligence Reports

  • Tr Chrysalis Backdoor Dive Into Lotus Blossoms Toolkit — www.rapid7.com · May 6, 2026
  • Defending Supply Chain Software Pipelines Against Nation — Mbtmag · March 19, 2026
  • Defending Supply Chain Software Pipelines Against Nation — Mbtmag · March 19, 2026
  • Rapid7 links Lotus Blossom APT to Notepad++ compromise, delivering Chrysalis — Industrialcyber.Co · February 9, 2026
  • Notepad++ targeted by Chinese-linked hackers — Thedailystar · February 9, 2026
  • Notepad++ supply chain attack: Researchers reveal details, IoCs, targets — Feeds2.Feedburner · February 3, 2026
  • Notepad++ Attack Breakdown Reveals Sophisticated Malware and Actionable IoCs — Gbhackers · February 3, 2026
  • Notepad++ Hack Detailed Along With the IoCs and Custom Malware Used — Cybersecuritynews · February 3, 2026

CVSS v3.1 Breakdown