Follow on X RSS Feed
Notepad ++

Notepad++ Compromise Reinforces the Need for Strict Software Governance

Cybersec Sentinel

5 min read
Notepad++ Compromise Reinforces the Need for Strict Software Governance

Threat Group Lotus Blossom Billbug
Threat Type Supply chain compromise via updater infrastructure hijack and malicious plugin persistence
Exploited Vulnerabilities Weak certificate and signature validation in the Notepad++ auto updater prior to version 8.8.9. Abuse of shared hosting infrastructure trust. DLL search order hijacking in plugin loading mechanisms. Abuse of legitimate signed binaries for side loading.
Malware Used Chrysalis backdoor. WikiLoader loader framework. Cobalt Strike Beacon. Malicious mimeTools.dll plugin. Side loaded DLL components including log.dll and alien.dll.
Threat Score 🔴 9.4/10 High risk
Last Threat Observation 02 February 2026

Overview

Notepad++ was impacted by a sustained and highly selective supply chain attack in which its update distribution infrastructure was abused rather than its application source code. Between June and December 2025, specific targets received malicious installers through the legitimate auto updater mechanism. The attack did not rely on software exploitation but instead leveraged weak update verification controls, unregulated plugin loading behaviour, and trust assumptions commonly applied to utility software.

Although frequently used as a lightweight text editor, Notepad++ lacks the security governance expected of software deployed in regulated or sensitive environments. The combination of weak updater validation, permissive DLL loading, and an unregulated plugin ecosystem made it a suitable candidate for targeted abuse. This incident underscores the broader security risk posed by consumer grade utilities operating inside enterprise networks without formal oversight.

Background and Discovery

The activity was publicly disclosed on 02 February 2026 following coordinated investigations by multiple security vendors. Research confirmed that the attackers compromised the shared hosting infrastructure used to distribute Notepad++ updates. This allowed them to intercept and redirect WinGUp updater traffic for extended periods without altering the Notepad++ source code or official release repositories.

Attribution analysis linked the activity to the Lotus Blossom Billbug threat group, a long running state aligned actor known for targeting telecommunications providers, government suppliers, and financial institutions across the Asia Pacific region. Telemetry and forensic analysis revealed that the attackers operated multiple parallel infection chains between mid 2025 and October 2025, adjusting tooling and infrastructure to reduce detection and attribution.

Technical Analysis

Delivery Method

The primary delivery vector was the Notepad++ auto updater executable gup.exe. Versions prior to 8.8.9 failed to strictly enforce certificate and signature validation on downloaded installers. When updater traffic was redirected to attacker controlled servers, malicious NSIS installers were delivered instead of legitimate updates.

The attack was not opportunistic. Redirection logic selectively targeted specific organisations and regions, indicating profiling based on IP address ranges and network characteristics. Systems that did not meet targeting criteria continued to receive legitimate updates, significantly reducing the likelihood of widespread detection.

A secondary delivery mechanism involved plugin based persistence. Notepad++ automatically loads DLLs from its plugins directory at startup without validating publisher signatures or enforcing integrity checks. Attackers replaced default plugins such as mimeTools.dll with malicious variants, ensuring code execution whenever the application launched.

Payload and Behaviour

Malicious installers deployed different payload combinations depending on the campaign phase. In early chains, installers dropped legitimate signed executables into user writable directories alongside malicious DLLs, enabling side loading under trusted process contexts.

The Chrysalis backdoor and Cobalt Strike Beacon were used to establish command execution, host profiling, and data exfiltration. WikiLoader served as an obfuscated loader responsible for decrypting and injecting shellcode into legitimate Windows processes such as explorer.exe. This approach reduced the effectiveness of signature based detection and allowed attacker activity to blend with normal system behaviour.

Three distinct execution chains were observed between July and October 2025. Each chain rotated file paths, loader components, and command and control infrastructure while retaining consistent operational goals. This demonstrates a high level of tradecraft and sustained access operations rather than a one off intrusion.

Indicators of Compromise IoCs

File Hashes MD5

  • 24b6950afd8663a46246044e6b09add8
  • 28cb7b261f4eb97e8a4b3b0d32f8def1
  • 2dc895d5611a149bfcc0d17c4f02d863
  • 32f3c40b0ed1c5cf23430be7f9eb7b06
  • 6aed7e49bd6c10c4eaee34f8c0eaa055
  • 8b1dee1e7178f9c4e92e9f073307b8ad
  • a8860bb5ccb964273b7fd2284b9dc837
  • a98a5062703f660195da7e419db5b686
  • b91ce8e219f3d31b6bd3703d79183c30
  • cb2741203668f77485440d2589426740
  • e5c5d39f785babf779801ba2ce3fa733

File Hashes SHA1

  • 06a6a5a39193075734a32e0235bde0e979c27228
  • 07d2a01e1dc94d59d5ca3bdf0c7848553ae91a51
  • 0d0f315fd8cf408a483f8e2dd1e69422629ed9fd
  • 13179c8f19fbf3d8473c49983a199e6cb4f318f0
  • 21a942273c14e4b9d3faa58e4de1fd4d5014a1ed
  • 259cd3542dea998c57f67ffdd4543ab836e3d2a3
  • 2a476cfb85fbf012fdbe63a37642c11afa5cf020
  • 2ab0758dda4e71aee6f4c8e4c0265a796518f07d
  • 3090ecf034337857f786084fb14e63354e271c5d
  • 46654a7ad6bc809b623c51938954de48e27a5618
  • 4c9aac447bf732acc97992290aa7a187b967ee2c
  • 573549869e84544e3ef253bdba79851dcde4963a
  • 6444dab57d93ce987c22da66b3706d5d7fc226da
  • 73d9d0139eaf89b7df34ceeb60e5f8c7cd2463bf
  • 7e0790226ea461bcc9ecd4be3c315ace41e1c122
  • 813ace987a61af909c053607635489ee984534f4
  • 821c0cafb2aab0f063ef7e313f64313fc81d46cd
  • 8e6e505438c21f3d281e1cc257abdbf7223b7f5a
  • 90e677d7ff5844407b9c073e3b7e896e078e11cd
  • 94dffa9de5b665dc51bc36e2693b8a3a0a4cc6b8
  • 9c0eff4deeb626730ad6a05c85eb138df48372ce
  • 9c3ba38890ed984a25abb6a094b5dbf052f22fa7
  • 9df6ecc47b192260826c247bf8d40384aa6e6fd6
  • 9fbf2195dee991b1e5a727fd51391dcc2d7a4b16
  • bd4915b3597942d88f319740a9b803cc51585c4a
  • bf996a709835c0c16cce1015e6d44fc95e08a38a
  • c68d09dd50e357fd3de17a70b7724f8949441d77
  • ca4b6fe0c69472cd3d63b212eb805b7f65710d33
  • d0662eadbe5ba92acbd3485d8187112543bcfbf5
  • d7ffd7b588880cf61b603346a3557e7cce648c93
  • defb05d5a91e4920c9e22de2d81c5dc9b95a9a7c
  • f7910d943a013eede24ac89d6388c1b98f8b3717

File Hashes SHA256

  • 1b5b8be1e60fb812c6d132aa8e66c180d3d605206814887dfb9116a7f4273295
  • 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924
  • 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad
  • 3f3c0c8feb7eb2019827904cc7614be3954abc856eefab67cd31b3bd72c3599a
  • 4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906
  • 4d4aec6120290e21778c1b14c94aa6ebff3b0816fb6798495dc2eae165db4566
  • 7058c0576aa256ac5251273777272e69e874c44587b9cdc4d501dd605cae3ce4
  • 9aa3ca96a84eb5606694adb58776c9e926020ef184828b6f7e6f9b50498f7071
  • c1494b4a82f3bedacaae9909601d1ebb6bf1187e402b1020108a297a263aa5db
  • c35bd9c41022d56df42b943c9f183a3c6e3ff23a880d14d796b6d86d0a64076a
  • e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda

Malicious File Names and Paths

  • %TEMP%\update.exe
  • %TEMP%\AutoUpdater.exe
  • %APPDATA%\ProShow\ProShow.exe
  • %APPDATA%\ProShow\load
  • %APPDATA%\Adobe\Scripts\script.exe
  • %APPDATA%\Adobe\Scripts\alien.dll
  • Program Files\Notepad++\plugins\mimeTools.dll
  • %APPDATA%\BluetoothService.exe
  • %APPDATA%\log.dll

Network Indicators IP Addresses

  • 45[.]76[.]155[.]202
  • 45[.]77[.]31[.]210

Network Indicators Domains

  • cdncheck[.]it
  • temp[.]sh
  • api[.]skycloudcenter[.]com
  • api[.]wiresguard[.]com

Observed Malicious URLs and Endpoints

  • hxxp[://]45[.]76[.]155[.]202/update/update[.]exe
  • hxxp[://]45[.]76[.]155[.]202/list
  • hxxps[://]45[.]77[.]31[.]210/users/admin
  • hxxps[://]45[.]77[.]31[.]210/api/update/v1
  • hxxps[://]cdncheck[.]it/api/FileUpload/submit
  • hxxps[://]temp[.]sh/upload
  • hxxp[://]124[.]222[.]137[.]114[:]9999/api/Info/submit
  • hxxp[://]124[.]222[.]137[.]114[:]9999/api/updateStatus/v1
  • hxxp[://]59[.]110[.]7[.]32[:]8880/api/Metadata/submit
  • hxxp[://]59[.]110[.]7[.]32[:]8880/api/getBasicInfo/v1

Process and Behavioural Indicators

  • gup.exe spawning cmd.exe
  • gup.exe spawning powershell.exe
  • gup.exe spawning whoami.exe
  • Execution of signed binaries from user writable directories
  • Shellcode injection and execution within explorer.exe
  • System inventory collection prior to outbound command and control traffic

Threat Context

This incident illustrates how low governance utility software can be leveraged as an access vector despite lacking complex functionality. Unlike regulated enterprise tools, Notepad++ does not enforce centralised update trust, plugin signing, or repository validation. These gaps create opportunities for adversaries to introduce malicious code without exploiting vulnerabilities in the traditional sense.

The campaign aligns with a broader trend of supply chain and infrastructure compromise where attackers target software distribution mechanisms rather than code bases. This approach reduces the need for zero day exploitation and increases dwell time by abusing implicit trust relationships within enterprise environments.

Risk Assessment

The likelihood of compromise is elevated in organisations that permit unrestricted installation of consumer utilities or fail to monitor updater behaviour. The potential impact is high due to the frequent presence of Notepad++ on administrator and developer workstations and its ability to execute arbitrary DLLs at launch.

Industries with distributed IT teams, permissive workstation policies, and reliance on unmanaged tools are particularly exposed. The selective nature of this campaign further increases risk, as targeted attacks are less likely to be detected through volume based monitoring.

Detection and Mitigation

Detection Guidance

Monitor gup.exe network traffic for destinations outside official Notepad++ and GitHub infrastructure
Alert on gup.exe spawning command shells or scripting engines
Detect legitimate signed binaries executing from unexpected user writable directories

Mitigation Strategies

Remove Notepad++ from secure or regulated environments where feasible
Manually upgrade to Notepad++ version 8.8.9 or later if retention is unavoidable
Disable or restrict plugin loading and enforce administrative write controls
Block known staging and command and control domains at DNS and firewall layers

Conclusion

This incident demonstrates that software does not need to be widely trusted or enterprise grade to present significant risk when deployed at scale. Weak update validation, permissive plugin handling, and informal distribution models create opportunities for adversaries to establish long term access without exploiting traditional vulnerabilities.

Organisations should reassess the presence of consumer and utility software within secure environments and apply the same scrutiny to update mechanisms and plugin ecosystems as they would to core enterprise platforms. Failure to do so increases exposure to targeted supply chain attacks that are difficult to detect and costly to remediate.

Sources

Kaspersky Securelist – Notepad++ supply chain attack analysis – https://securelist.com/notepad-supply-chain-attack/118708/

Tenable - Frequently Asked Questions About Notepad++ Supply Chain Compromise - https://www.tenable.com/blog/frequently-asked-questions-about-notepad-supply-chain-compromise

The Hacker News - Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users - https://thehackernews.com/2026/02/notepad-official-update-mechanism.html

Notepad++ Security Advisory – Updater certificate validation hardening – https://github.com/notepad-plus-plus/notepad-plus-plus/security/advisories

OTX AlienVault - Indicators Of Compromise - https://otx.alienvault.com/pulse/6981e532c377aebc94f0e7a8