InfoSec News 03FEB2026
General
- After Notepad++ fixed its update code (checking what it was running, rather than just trusting whatever it downloaded), more information has come to light. It's alleged that a chinese-aligned threat actor has been exploiting the vulnerability, (selectively) redirecting traffic, and using it to install their own code.
Rapid7 have a write-up on the code 'Chrysalis' they believe was delivered in the campaign. Cheeky - it uses DLL side-loading in a Bitdefender executable. Standard evasion and Command and Control (C2) capabilities.
Rapid7 are attributing the attack to LotusBlossom/Lotus Panda/APT30/Raspberry Typhoon/Funky Canal.
The incident began from June 2025. Multiple independent security researchers have assessed that the threat actor is likely a Chinese state-sponsored group, which would explain the highly selective targeting observed during the campaign.
...
According to the former hosting provider, the shared hosting server was compromised until September 2, 2025. Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers.
(Typos in original quote corrected)
Our investigation identified a security incident stemming from a sophisticated compromise of the infrastructure hosting Notepad++, which was subsequently used to deliver a previously undocumented custom backdoor, which we have dubbed Chrysalis.
- https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
- https://arstechnica.com/security/2026/02/notepad-updater-was-compromised-for-6-months-in-supply-chain-attack/
- https://www.bleepingcomputer.com/news/security/notepad-plus-plus-update-feature-hijacked-by-chinese-state-hackers-for-months/
- https://cyberscoop.com/china-espionage-group-lotus-blossom-attacks-notepad/
- https://www.itnews.com.au/news/popular-text-editor-notepad-was-hacked-to-drop-malware-623335
- https://techcrunch.com/2026/02/02/notepad-says-chinese-government-hackers-hijacked-its-software-updates-for-months/
- https://therecord.media/popular-text-editor-hijacked-by-suspected-state-sponsored-hackers
- https://www.theregister.com/2026/02/02/notepad_plusplus_intrusion/
- McDonalds Netherlands gets behind Change Your Password day, encouraging people to use properly strong passwords, not just obvious words and their 1337 variants.
- The importance of rapid-patching - CERT-UA warns that a Russian APT (APT28 / Fancy Bear / Forest Blizzard / Strontium / Flamboyant Leatherdaddy) was exploiting a Microsoft Office bug within a day of the patch's release.
- Another day, another Microsoft bug fix - a rapid resolution in this case, only half a year to fix an icon not appearing. Nothing important - just the password icon at logon.
- Meanwhile, the scale of the Windows shutdown bug has increased - not just Win11 23H2 (as earlier reported), but also Win10 devices (including those under long-term support)
Getting Techy
- Matthew Green has written a rebuttal to the allegations that WhatsApp/Meta has access to all messages sent through the platform, in near-real-time (and going back many years.
PS "Reflections on Trusting Trust" is still an iconic paper, an absolute 'must read'. - Synacktiv have written up a quick intro to Windows privileges, and mapping them using BloodHound.
Geo-Politics
- [NL] The Netherlands is the latest country to push for a social media ban for under 15's.
The three Dutch parties behind the recently unveiled proposal still need to build a wider coalition for a law to pass since they hold slightly less than half the seats in the Dutch parliament.
They are seeking an “enforceable European minimum age of 15 for social media, with privacy-friendly age verification for young people.”
...
The coalition says it would ban “addictive, polarizing, and anti-democratic algorithms” and require “punishable” content to be removed within an hour of an order from regulators.
- [UK] There has been an increase in sightings of drones near defence sites in the UK - and elsewhere in Europe - which is being tied to Russia.
Figures released by the Ministry of Defence report 266 incidents near a range of different defense sites, a significant rise on the 126 incidents reported in 2024.
That year, sightings of drones at night over British airbases used by the United States Air Force (USAF) prompted fears that unknown actors may be conducting hostile reconnaissance of the facilities.
Similar sightings have occurred “over critical sites in Belgium, Poland, Romania, Denmark and Germany,” as Ursula von der Leyen, the president of the European Commission, warned in a speech at the European Parliament in Strasbourg last October.
...
“Through the Armed Forces Bill, we’re giving our military greater powers to take out and shoot down threatening drones near bases,” said Healey, adding the government would be “stepping up investment in counter-drone technology to keep Britain secure at home and strong abroad.”
- [US] Looks as though things aren't nice between the anti-ICE and pro-ICE crowds:
ICE-reporting service StopICE has blamed a US Customs and Border Protection (CBP) agent for attacking its app and website and sending users text messages warning them that their information had been "sent to the authorities."
...
The app's maintainers said that they traced the source by throwing the attackers "bait," such as phony data and fake API keys, which allegedly revealed the intruders' locations, names, phone numbers, and network information, and StopICE has since provided a list of IP addresses and network details belonging to "several attackers."
- https://www.stopice.net/news/server_attack_against_stopicenet_traced_to_local_cbp_agents_personal_server
- https://www.stopice.net/counterattack
- https://www.theregister.com/2026/02/02/stopice_alerts_hacked/
- [US] Elsewhere in the US, the current administration is still fixated on the 2020 election results - or is it just an excuse to obtain more information?
According to Fulton County, federal officials seized 700 boxes of records related to the 2020 election, including physical ballots. The search warrant detailing a full list of records and evidence sought by the federal government remains sealed
...
“While most states are resisting this illegal voter roll grab, we are gravely concerned by the amount of sensitive data the Department has already amassed on millions of American voters,” the senators wrote. “The Department has failed to provide Congress, or the public, any information on how it is maintaining this vast amount of data, the guardrails in place to protect state voter information, how the data is to be used, or who in the federal government has access to this sensitive data.”
Privacy
- There's been backlash against NSO, for trying to use its submissions to the Pall Mall Process to whitewash its reputation.
“As a regulated defense technology provider operating under stringent export licensing requirements, with an established human rights compliance program and a record of implementing safeguards, investigations, and enforcement actions, NSO contributes a practical, implementation-focused perspective,” according to the report, which glossed over a long record of human rights abuses without committing to any reforms to address them.
Civil society leaders scoffed at the company’s claims, pointing to many recent abuses of Pegasus to target members of civil society in repressive regimes like Serbia. In February 2025, Amnesty International found that Pegasus had been used to target two Serbian journalists. It was the third time in two years that Amnesty documented members of civil society had been targeted with Pegasus there.
...
Officials involved in the Pall Mall Process stressed that spyware makers that offer submissions are not necessarily acting in ways that make them responsible actors
AI
- Mozilla have listened to consumer feedback, and are including a master switch to disable all current and future AI capabilities in Firefox. The switch rolls out in Firefox 148, later this month.
Starting with Firefox 148, which rolls out on Feb. 24, you’ll find a new AI controls section within the desktop browser settings. It provides a single place to block current and future generative AI features in Firefox. You can also review and manage individual AI features if you choose to use them. This lets you use Firefox without AI while we continue to build AI features for those who want them.
...
If you don’t want to use AI features from Firefox at all, you can turn on the Block AI enhancements toggle. When it’s toggled on, you won’t see pop-ups or reminders to use existing or upcoming AI features.
Once you set your AI preferences in Firefox, they stay in place across updates.
- https://blog.mozilla.org/en/firefox/ai-controls/
- https://www.bleepingcomputer.com/news/software/mozilla-will-let-you-turn-off-all-firefox-ai-features/
- [US] Principal deputy assistant national cyber director for policy, Alexandra Seymour, indicates the US will look to push their (move fast, minimal oversight) version of AI policy on the rest of the world.
As part of an effort to advance American AI, the administration will be “undertaking diplomacy efforts to promote American AI cybersecurity standards and norms, establishing industry best practices for secure AI deployment and harnessing the full potential of AI tools,”
...
the Trump administration’s AI Action Plan released last summer, which said the departments of Commerce and State would “vigorously advocate for international AI governance approaches that promote innovation, reflect American values, and counter authoritarian influence,” but doesn’t explicitly mention international promotion of cybersecurity standards.
...
“While AI is already helping industries enhance security and address the challenge of escalating cyberattacks, this administration will promote the rapid implementation of AI-enabled cyber defensive tools to detect, divert and deceive threat actors who continue targeting our vital systems and sectors on our federal systems,”