“ The incident began from June 2025. Multiple independaent security researchers have assessed that the threat acotor is likely a Chinese state-sponsored group, which would explain the highly selective targeting obseved during the campaign.”

How do they know it was a Chinese group or even a state sponsored one?

They said "likely", so they don't "know." Yours is the wrong question.

The "likely" does give the impression that they have a pretty good idea.

I didn't say that to be pedantic, but to avoid that particular type of asker who isn't actually asking a genuine question here. After listing all the ways that Notepad++ (as an example here) suspects who they suspect, the asker then comes back with "Yeah, but how do you know?", as if that's some sort of gotcha. It's disingenuous. Even if the person I replied to isn't attempting this, I find it good to call out and get people to ask a better question: what's the evidence and why does that evidence point to this conclusion?

Perhaps it's "...because that would explain..."?

By analyzing payloads / C2 address, etc...

Yeah because a state level actor would be completely incapable of false attribution.

With enough effort, anything can be obfuscated. But effort costs money and also state level actors have limited funds and time and want to go home to their families ar some point and if the purpose was to get a message across (don't mess with china, otherwise face the consequences) there is no need to really hide the origin.

> Chinese group

our enemy. It must be Chinese, North Korean or Russian.

> state sponsored one

"our software/our provider is so good that only a state actor can compromise us" (see Microsoft's AD keys hack for details)