The Notepad++ Supply-Chain Attack: Technical Breakdown + IoCs

The open-source text editor Notepad++ — trusted by developers worldwide — was compromised in a highly-targeted supply-chain attack lasting six months in 2025. Rather than exploiting a software bug in Notepad++ itself, threat actors hijacked its update delivery infrastructure, allowing them to deliver malicious payloads to select victims.


What Happened?

From June through December 2025, attackers gained unauthorized access to the shared hosting infrastructure serving the Notepad++ update mechanism. By intercepting update requests, they selectively redirected selected users’ traffic from the legitimate Notepad++ update server to attacker-controlled servers. There, victims received malicious update executables disguised as legitimate installers.

This was not an exploit in Notepad++’s source code — instead, attackers abused weaknesses in the update process and infrastructure access at the hosting provider level.


Targeting and Attribution

This was not a mass-spread malware campaign. The intrusion was highly selective, impacting around a dozen systems belonging to:

  • Individuals in Vietnam, El Salvador, and Australia
  • A government organization in the Philippines
  • A financial institution in El Salvador
  • An IT services provider in Vietnam

While direct attribution remains cautious, independent researchers and cybersecurity firms have linked the activity to Chinese state-associated threat actors, based on operational patterns and precision targeting. 


How the Attack Worked

Notepad++ uses a generic Windows update service called WinGUp. Prior to version 8.8.9, the updater did not enforce strong digital signature or certificate checks on downloaded installers, meaning intercepted update manifests could lead to unverified executable downloads.

Attack Vector

  1. Hosting Provider Compromise: The shared hosting used by notepad-plus-plus.org was breached, allowing attackers to divert traffic.
  2. Selective Redirects: Only traffic from specific user IPs was redirected to attacker-controlled update URLs. 
  3. Fake Update Delivery: Redirected clients were sent poisoned update installers (update.exe, install.exe, etc.). 
  4. Payload Execution: These installers ran under the legitimate Notepad++ updater (GUP.exe), then deployed additional malicious components. 

Indicators of Compromise (IoCs)

Below are Confirmed IoCs published by Kaspersky’s GReAT team — this list is critical for threat hunting, detection, and incident response.

🔗 Malicious Update URLs

Threat actors hosted poisoned installers on:

  • http://45.76.155[.]202/update/update.exe
  • http://45.32.144[.]255/update/update.exe
  • http://95.179.213[.]0/update/update.exe
  • http://95.179.213[.]0/update/install.exe
  • http://95.179.213[.]0/update/AutoUpdater.exe

🌐 System Information Upload Endpoints

These endpoints were used to exfiltrate victim system data:

  • http://45.76.155[.]202/list
  • https://self-dns.it[.]com/list 

🔥 C2 / Payload Delivery URLs

Used by embedded downloaders to fetch Cobalt Strike Beacon payloads:

  • https://45.77.31[.]210/users/admin
  • https://cdncheck.it[.]com/users/admin
  • https://safe-dns.it[.]com/help/Get-Start

🛠 C2 Communication Endpoints

Once installed, Cobalt Strike Beacons communicated with:

  • https://45.77.31[.]210/api/update/v1
  • https://45.77.31[.]210/api/FileUpload/submit
  • https://cdncheck.it[.]com/api/update/v1
  • https://cdncheck.it[.]com/api/Metadata/submit
  • https://cdncheck.it[.]com/api/getInfo/v1
  • https://cdncheck.it[.]com/api/FileUpload/submit
  • https://safe-dns.it[.]com/resolve
  • https://safe-dns.it[.]com/dns-query

🧬 Malicious File Hashes (SHA1)

Updater Installer Payloads:

  • 8e6e505438c21f3d281e1cc257abdbf7223b7f5a
  • 90e677d7ff5844407b9c073e3b7e896e078e11cd
  • 573549869e84544e3ef253bdba79851dcde4963a
  • 13179c8f19fbf3d8473c49983a199e6cb4f318f0
  • 4c9aac447bf732acc97992290aa7a187b967ee2c
  • 821c0cafb2aab0f063ef7e313f64313fc81d46cd 

Auxiliary / Payload File Hashes

  • 06a6a5a39193075734a32e0235bde0e979c27228load
  • ca4b6fe0c69472cd3d63b212eb805b7f65710d33alien.ini
    (…Plus additional hashes tied to backdoor components and Cobalt Strike payloads)

Detection & Hunting Guidance

Since this was a supply-chain compromise executed via infrastructure and selective redirects, traditional signature-based detection alone may miss artifacts. Key hunting strategies include:

Network Indicators

  • Monitor DNS and HTTP logs for connections to any of the above IoC domains and IPs.
  • Look for anomalies in update traffic (especially HTTP to suspicious hosts instead of notepad-plus-plus.org).

Endpoint Artifacts

  • Search endpoints for NSIS installer activity (update.exe, install.exe, AutoUpdater.exe).
  • Check for files dropped in:
    • %appdata%\ProShow\
    • %appdata%\Adobe\Scripts\
    • %appdata%\Bluetooth\

Behavioral Indicators

  • Unusual outbound HTTPS traffic to non-standard C2 endpoints.
  • Unexpected PowerShell, cmd, or shell activity tied to updater processes. 

Remediation and Secure Update Practices

As of version 8.8.9+, Notepad++ has:

  • Migrated away from the compromised hosting provider
  • Implemented strict digital signature and certificate checks on updates
  • Hardened the WinGUp mechanism to reject unsigned packages

If you are on a version earlier than 8.8.9 and ever used its auto-update feature between June–December 2025, assume possible compromise. The safest course is to:

  1. Immediately update to the latest Notepad++ release from the official site.
  2. Audit endpoints for IoC activity and anomalous network connections.
  3. Consider system rebuilds for confirmed compromised machines.
  4. Rotate credentials for impacted users and services.

Final Thoughts

This incident underscores a stark reality: software supply chains are only as secure as the infrastructure that supports them. Attackers now routinely bypass direct code exploits by subverting distribution mechanisms with infrastructure access and sophisticated targeting.

For defenders, this attack highlights the necessity of multi-layered verification, continuous telemetry analysis, and vigilant threat hunting based on both static IoCs and behavioral patterns.