Notepad++ confirmed an infrastructure-level compromise affecting its update mechanism from June through December 2025. Attackers hijacked the hosting provider’s server to selectively redirect update requests from targeted users to malicious servers. This wasn’t a vulnerability in Notepad++ code itself. The attackers compromised the infrastructure surrounding the software distribution process.
According to Kaspersky’s GReAT team (published February 3, 2026), the attack involved three distinct infection chains that rotated approximately monthly. The operation targeted telecommunications and financial services organizations primarily in East Asia, with victims also identified in Vietnam, El Salvador, Australia, and the Philippines. Multiple independent security researchers assess the threat actor as likely Chinese state-sponsored, specifically the Lotus Blossom APT (also known as Billbug, Spring Dragon, or Thrip).
Attack Timeline
Date
Event
June 2025
Initial compromise of shared hosting server begins
Late July 2025
Chain #1 deployed: NSIS installer with ProShow DLL sideloading, Cobalt Strike Beacon via Metasploit downloader
September 2025
Chain #2 deployed: Lua interpreter-based execution with system information exfiltration via temp.sh
Sept 2, 2025
Direct server access severed after kernel/firmware update
October 2025
Chain #3 deployed: BluetoothService DLL sideloading with Chrysalis backdoor
Dec 2, 2025
Credential access to internal services terminated; Kevin Beaumont publicly reports initial findings
Feb 2, 2026
Official Notepad++ disclosure published with investigation details
Affected Versions and Technical Details
The WinGUp updater (Windows Generic Update Program) contained a fundamental weakness: versions prior to v8.8.9 did not verify the certificate and signature of downloaded installers. Although v8.8.7 introduced GlobalSign certificate signing and v8.8.8 restricted downloads to GitHub, the updater itself still didn’t enforce verification of what it downloaded.
In-Scope Versions
Version Range
Status
Action Required
< v8.8.7
HIGH RISK
Immediate update + audit
v8.8.7 – v8.8.8
MODERATE RISK
Update + audit if updated Jun-Dec 2025
v8.8.9+
PATCHED
Update verification enforced
Threat Risk Scenarios
The following scenarios illustrate potential organizational impacts based on the observed attack patterns. These are risk scenarios derived from confirmed attack behaviors, not hypothetical speculation.
Scenario 1: Developer Workstation Compromise
Risk Level
HIGH
Attack Vector
Trojanized Notepad++ update delivers Cobalt Strike or Chrysalis backdoor via NSIS installer
Impact
Persistent access to developer machine with source code, credentials, API keys, and CI/CD pipeline access. Attackers collect system info via temp.sh upload before deploying persistent implants.
Detection
DNS queries to temp.sh, execution of whoami/tasklist/systeminfo/netstat from GUP.exe child process, NSIS temp directory creation, DLL sideloading from %appdata%\ProShow or %appdata%\Bluetooth paths
Scenario 2: Initial Access to Financial Services Network
Risk Level
HIGH
Attack Vector
Selective targeting based on IP/organization. Attackers specifically searched for notepad-plus-plus.org traffic and redirected only targeted users.
Impact
Financial services organizations in East Asia were confirmed targets. Potential for transaction system access, customer data exposure, regulatory violations. Six-month dwell time before detection.
Source
Kevin Beaumont (security researcher) identified telecoms and financial services in East Asia as confirmed targets
Scenario 3: Government Organization Espionage
Risk Level
HIGH
Confirmed Target
A government organization in the Philippines was identified by Kaspersky as a confirmed victim
Impact
State-sponsored espionage objectives. Chrysalis backdoor deployment provides persistent access for intelligence collection. Pattern consistent with Lotus Blossom APT’s historical targeting of Southeast Asian governments.
Attribution Note
Lotus Blossom APT attribution assessed with moderate confidence based on targeting patterns, TTPs, and infrastructure analysis (per SOCRadar, Rapid7)
Scenario 4: IT Service Provider Pivot
Risk Level
MODERATE-HIGH
Confirmed Target
An IT service provider organization in Vietnam was identified by Kaspersky as a confirmed victim
Impact
Compromised MSP/IT service providers create cascading risk. Attackers potentially gain access to multiple customer environments through a single compromise. Remote management tools and customer credentials at risk.
Supply Chain Risk
This represents a supply chain attack within a supply chain attack. MSP compromise multiplies attacker reach significantly.
Indicators of Compromise
The following IoCs were published by Kaspersky GReAT on February 3, 2026. Additional IoCs from Rapid7’s Chrysalis backdoor analysis are included where noted.
Malicious Update Distribution URLs
http://45.76.155[.]202/update/update.exe
http://45.32.144[.]255/update/update.exe
http://95.179.213[.]0/update/update.exe
http://95.179.213[.]0/update/install.exe
http://95.179.213[.]0/update/AutoUpdater.exe
C2 Infrastructure Domains
cdncheck.it[.]com
self-dns.it[.]com
safe-dns.it[.]com
api.wiresguard[.]com (Rapid7)
api.skycloudcenter[.]com (Rapid7)
File Hashes (SHA1) – Malicious Installers
8e6e505438c21f3d281e1cc257abdbf7223b7f5a
90e677d7ff5844407b9c073e3b7e896e078e11cd
573549869e84544e3ef253bdba79851dcde4963a
13179c8f19fbf3d8473c49983a199e6cb4f318f0
4c9aac447bf732acc97992290aa7a187b967ee2c
821c0cafb2aab0f063ef7e313f64313fc81d46cd
d7ffd7b588880cf61b603346a3557e7cce648c93
Malicious File Paths
%appdata%\ProShow\load
%appdata%\Adobe\Scripts\alien.ini
%appdata%\Bluetooth\BluetoothService
%localappdata%\Temp\ns.tmp (NSIS indicator)
Detection Recommendations
The following detection methods are derived from Kaspersky’s analysis:
Monitor DNS queries for temp.sh domain (unusual in corporate environments and used for system info exfiltration)
Detect HTTP requests with temp.sh URLs embedded in User-Agent header
Alert on reconnaissance commands (whoami, tasklist, systeminfo, netstat -ano) spawned by GUP.exe
Monitor NSIS installer deployments via %localappdata%\Temp\ns.tmp directory creation
Block or monitor notepad-plus-plus.org and gup.exe internet access for enterprise-managed deployments
Hunt for DLL sideloading from %appdata%\ProShow, %appdata%\Adobe\Scripts, and %appdata%\Bluetooth paths
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
