Notepad++ Supply Chain Compromise

Hunting Controls & Observations

Description of detection approach and observable indicators:

• Endpoint Controls: EDR/XDR platforms, Sysmon event logs (Events 1, 3, 11, 12, 13), PowerShell logging (Event IDs 4103, 4104), File Integrity Monitoring for application directories
• Network Controls: Firewall logs for outbound connections, DNS query logs for domain resolution patterns, IDS/IPS signatures for suspicious update traffic, SSL/TLS inspection for certificate anomalies
• Identity & Access Controls: Windows Security Event logs (Event IDs 4624, 4672, 4688), Azure AD sign-in logs, privileged access management system logs
• Cloud & SaaS Controls: AWS CloudTrail for API activity, Office 365 audit logs, application logs from development platforms (Git, CI/CD systems)

Behavioral Indicators of Attack

• Update Process Traffic Anomaly: The _gup.exe updater process initiates network connections to non-standard IP addresses instead of legitimate notepad-plus-plus.org infrastructure. Pre-v8.8.8 WinGUp lacked signature verification, allowing redirection without validation. (Endpoint/Network)
• Unsigned Update Manifest Execution: The _update.xml configuration file executes or loads without valid digital signature verification. Attack exploited WinGUp's insufficient integrity checking before v8.8.9. (Endpoint Detection Difficulty: LOW)
• Child Process Anomalies from Updater: Notepad++.exe or _gup.exe spawning unexpected child processes (cmd.exe, powershell.exe) with suspicious command lines. Post-compromise payloads follow standard post-exploitation patterns. (Endpoint Detection Difficulty: LOW-MEDIUM)
• Installer Artifact Signature Mismatch: Downloaded or executing Notepad++ installer binaries with digital signatures mismatched to official certificates or unsigned entirely. Malicious installers delivered via update redirection contained attacker payloads. (Endpoint Detection Difficulty: LOW)
• DNS Response Inconsistency: DNS queries for notepad-plus-plus.org resolving to IP addresses outside official Notepad++ provider IP ranges. Attackers maintained access to DNS redirection or hosting provider credentials. (Network Detection Difficulty: MEDIUM)
• TLS Certificate Chain Anomalies: Update connections presenting self-signed certificates, mismatched Common Names, or certificates not issued by trusted CAs. Pre-v8.8.9 WinGUp didn't validate certificate chains. (Network Detection Difficulty: MEDIUM)
• Registry Modification - Update Configuration: Registry keys under HKLM\Software\Notepad++\GUP modified to point to non-standard servers or remove certificate validation requirements. Persistent mechanism ensuring continued redirection. (Endpoint Detection Difficulty: LOW-MEDIUM)
• Hosting Provider Credential Abuse: Unusual authentication to hosting provider admin panels from unexpected locations/times. Attackers maintained long-term access through compromised internal service credentials. (Identity/Access Detection Difficulty: MEDIUM-HIGH)

MITRE Enterprise ATT&CK Tactics and Techniques

• Initial Access (T1195.002 – Supply Chain Compromise: Software Supply Chain): Zirconium compromised Notepad++'s update distribution infrastructure by exploiting vulnerabilities in the shared hosting environment. The attack targeted the software supply chain directly, using the update mechanism as the delivery vector to reach high-value targets rather than attempting traditional malware distribution.
• Initial Access (T1199 – Trusted Relationship): The threat actor exploited the inherent trust users place in software updates from established vendors. By compromising the hosting provider, attackers positioned themselves as the legitimate update source, leveraging the existing trust relationship between Notepad++ and its user base.
• Defense Evasion (T1553.002 – Subvert Trust Controls: Code Signing Bypass): WinGUp updater (pre-v8.8.8) lacked proper certificate chain validation and digital signature verification, allowing attackers to deliver unsigned or self-signed executables without triggering user warnings. This enabled the malicious payload to execute with the same privileges as a legitimate update.
• Defense Evasion (T1036.005 – Masquerading: Match Legitimate Name or Location): Malicious servers were positioned as legitimate mirrors of notepad-plus-plus.org, and poisoned executables were named identically to legitimate Notepad++ installers. This masquerading prevented user detection and bypassed file-based reputation systems.
• Execution (T1559.001 – Inter-Process Communication: Component Object Model): Post-compromise payloads likely used COM interfaces for lateral movement and persistence, though specific execution mechanisms were withheld from coordinated disclosure.
• Command & Control (T1571 – Non-Standard Port): Update redirection occurred through standard web traffic but to non-standard infrastructure, allowing C2 communication to blend with normal update activity.
• Impact (T1565.001 – Data Destruction: Stored Data Manipulation): Compromised systems in target organizations likely experienced data theft and potential manipulation of sensitive information, particularly credentials and intellectual property.

Controls' Observables

Endpoint Controls

Endpoint detection and response (EDR) platforms can identify Notepad++ supply chain compromise through:

• Unsigned Executable Delivery via Update Mechanism: Monitor for Notepad++ or WinGUp processes downloading and executing binaries without valid digital signatures. Alert on update-related binary execution failing signature verification. (Related: T1553.002, T1195.002 | Detection Difficulty: LOW)
• Process Injection from Update Context: Watch for _gup.exe or Notepad++.exe spawning unexpected child processes with suspicious command-line arguments. The updater process should not initiate arbitrary process execution. (Related: T1055, T1053.005 | Detection Difficulty: LOW-MEDIUM)
• Registry Modification - Update Configuration: Alert on modifications to HKLM\Software\Notepad++\GUP registry keys, particularly changes to update server URLs or deletion of certificate validation settings. (Related: T1112, T1547.001 | Detection Difficulty: LOW)
• File Integrity Violations: Flag unexpected or unsigned binaries appearing in Notepad++ installation directories. All executables should match official release signatures. (Related: T1195.002, T1036.005 | Detection Difficulty: LOW)
• Sysmon Event Analysis: Sysmon Event 3 showing _gup.exe connecting to non-standard IPs; Event 11 showing _AutoUpdater.exe in %TEMP%; Event 1 showing Notepad++ spawning system processes. (Related: T1195.002, T1036.005 | Detection Difficulty: MEDIUM)

Network Controls

Network-based detection systems can identify update hijacking through:

• DNS Response Inconsistency: Monitor DNS query responses for notepad-plus-plus.org resolving to IPs outside official ranges. Maintain baseline of legitimate update server IPs and alert on deviations. (Related: T1199, T1195.002 | Detection Difficulty: MEDIUM)
• TLS Certificate Anomalies: SSL/TLS inspection of update domain connections validating certificate Common Names match notepad-plus-plus.org. Flag self-signed certificates or mismatched CNs. (Related: T1553.002, T1036.005 | Detection Difficulty: MEDIUM)
• Non-HTTPS Update Traffic: Flag update-related traffic occurring over unencrypted HTTP. All update mechanisms should use HTTPS with certificate validation. (Related: T1195.002, T1553.002 | Detection Difficulty: LOW)
• Unexpected Update Server IP Communication: Create firewall rule baseline for legitimate Notepad++ update server IPs. Alert on outbound connections to different IPs, indicating DNS redirection or network hijacking. (Related: T1571, T1199 | Detection Difficulty: MEDIUM-HIGH)
• Large Data Exfiltration During Update Window: Monitor for unusual outbound data transfers coinciding with update process execution. Post-compromise payloads may exfiltrate credentials during the update window. (Related: T1041, T1020 | Detection Difficulty: MEDIUM)

Identity & Access Controls

Identity systems can detect hosting provider compromise through:

• Hosting Provider Admin Panel Access Anomalies: Monitor for unusual login patterns to admin panels—logins from unexpected geographic locations, outside business hours, or from compromised internal service accounts. (Related: T1199, T1078.002 | Detection Difficulty: HIGH)
• Service Account Credential Abuse: Alert on internal service account usage deviating from normal operations. Attackers maintained persistence through compromised service credentials for 3+ months after initial server compromise. (Related: T1078.002, T1087.002 | Detection Difficulty: MEDIUM-HIGH)
• MFA Bypass or Unusual Authentication Patterns: Monitor for failed attempts followed immediately by successful logons (brute-force), or authentication from multiple geographic locations in short timeframes. (Related: T1110, T1078 | Detection Difficulty: MEDIUM)

Cloud & SaaS Controls

Cloud monitoring can identify post-compromise activity through:

• Anomalous Development Platform Access: Monitor Git, CI/CD systems, and development platforms for activity originating from Notepad++ installation directories. Post-compromise payloads may target developer credentials. (Related: T1555, T1187 | Detection Difficulty: MEDIUM)
• Cloud API Activity Spike from Compromised System: AWS CloudTrail, Azure Activity Logs should flag unexpected API activity from systems that recently executed Notepad++ updates. (Related: T1078, T1526 | Detection Difficulty: MEDIUM)
• Credential Access via Cloud Identity Logs: Azure AD, Okta should alert on credential usage from systems with Notepad++ update activity, particularly cloud service access from non-admin machines. (Related: T1555, T1187 | Detection Difficulty: MEDIUM)

Insights and Recommendation

Consequences

Organizations affected by the Notepad++ supply chain attack face both immediate and long-term operational impacts. The initial compromise allows attackers to execute arbitrary code with user privileges on development machines and workstations, enabling the harvesting of credentials (such as Git credentials, SSH keys, and cloud access tokens) and lateral movement into critical infrastructure. The focus on telecommunications and financial services suggests attackers targeted organizations with access to sensitive data, customer records, and strategic infrastructure, increasing liability for data breach notifications, regulatory investigations, and loss of customer trust. Long-term effects include persistent backdoor access for ongoing intelligence collection, potential supply chain contamination if compromised developers distributed malicious code, and operational disruption due to incident response and remediation efforts.

Recommendations

Security teams should immediately audit all Notepad++ installations, identify and document versions earlier than 8.8.8, and require updates to version 8.9.1 or later with certificate-based validation. In addition to patching, enforce code signing and certificate validation at the application execution layer (e.g., AppLocker or Windows Defender Application Control) to block unsigned or improperly signed executables, thereby addressing the core vulnerability. For threat detection, deploy EDR focused on monitoring update processes (especially _gup.exe network activity and binary signature verification), implement DNS monitoring and SSL/TLS inspection for update domain requests, and review hosting provider audit logs from June to December 2025 to identify potential credential compromise. Map these detections to MITRE techniques T1195.002 (Supply Chain Compromise), T1553.002 (Subvert Trust Controls), and T1199 (Trusted Relationship) to support an intelligence-driven response.

Source and Credits

This analysis is based on coordinated threat intelligence disclosures from multiple security vendors including The Hacker News, Help Net Security, Notepad++ official security advisory, Recorded Future News, The Register, and Security Affairs. Published February 2, 2026.

Threat Hunting IOCs & Queries

Known Indicators of Compromise

• Domains: notepad-plus-plus.org (primary target, now remediated)
• File Paths to Monitor: C:\Program Files\Notepad++\_gup.exe, C:\Program Files\Notepad++\_AutoUpdater.exe, %APPDATA%\Notepad++\updateInfo.xml, C:\Windows\Temp\npp*.exe
• Registry Keys: HKLM\Software\Notepad++\GUP, HKLM\Software\Notepad++\GUP\UpdateUrl, HKLM\Software\Wow6432Node\Notepad++
• Legitimate IP Ranges (Allow-list): Cloudflare CDN - 104.16.0.0/12, 172.67.0.0/16, 188.114.96.0/20
• Note: Specific malware hashes and malicious domains not disclosed in coordinated advisory. Use behavioral queries to detect regardless of infrastructure rotation.

Query 1: Suspicious WinGup Updater Network Activity

Behavior Targeted: The _gup.exe (WinGUp updater) process establishing network connections to non-standard IP addresses instead of legitimate Notepad++ infrastructure, indicating update redirection to malicious servers.
MITRE ATT&CK: T1195.002, T1199
Expected Results: Events showing _gup.exe or _update.exe processes initiating connections to IPs outside legitimate Notepad++ CDN ranges.
False Positive Likelihood: MEDIUM (corporate proxies may route traffic; whitelist known proxy IPs)
Tuning Guidance: Adjust connection count threshold and whitelist IP ranges based on your Notepad++ CDN provider documentation.

Splunk SPL Query

index=windows sourcetype=WinEventLog:Sysmon EventCode=3
    Image="*\\notepad++*\\*gup.exe" OR Image="*\\notepad++*\\*update.exe"
    earliest=-7d
| search NOT (DestinationIp IN (104.16.0.0/12, 172.67.0.0/16, 188.114.96.0/20))
| eval connection_type=case(
    DestinationPort==443, "HTTPS",
    DestinationPort==80, "HTTP",
    1=1, "Non-Standard")
| stats count, earliest(_time) as first_seen, latest(_time) as last_seen
    by Computer, User, Image, DestinationIp, DestinationPort, connection_type
| where count >= 2
| rename Computer as host, DestinationIp as dest_ip, DestinationPort as dest_port
| table first_seen, last_seen, host, User, Image, dest_ip, dest_port, connection_type, count
| sort - count

// TUNING: Adjust whitelist IP ranges based on Notepad++ CDN provider documentation
// TUNING: Lower count to 1 for stricter detection; increase to 5 for noisier environments

Microsoft KQL Query (Defender/Sentinel)

DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "_gup.exe" or InitiatingProcessFileName =~ "_update.exe"
| where InitiatingProcessFolderPath contains "Notepad++"
| where RemotePort in (80, 443) or RemotePort > 1024
| extend is_legitimate_range =
    RemoteIp startswith "104.16." or RemoteIp startswith "172.67." or RemoteIp startswith "188.114."
| where is_legitimate_range == false
| summarize connection_count = count(),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp),
    Protocols = make_set(Protocol)
    by DeviceName, AccountName, InitiatingProcessFileName, RemoteIp, RemotePort
| where connection_count >= 2
| project FirstSeen, LastSeen, DeviceName, AccountName, InitiatingProcessFileName, RemoteIp, RemotePort, connection_count, Protocols
| order by connection_count desc, FirstSeen desc

// TUNING: Modify connection_count threshold (currently >=2) for sensitivity
// TUNING: Add port filtering if known malicious C2 ports are available

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Query 2: Unsigned Notepad++ Installer Execution

Behavior Targeted: Execution of Notepad++ installers lacking valid digital signatures or with mismatched signatures, indicating malicious installer delivery.
MITRE ATT&CK: T1553.002, T1036.005
Expected Results: Process execution events for Notepad++ installers where SignatureStatus shows "Invalid", "Unsigned", or "Unknown".
False Positive Likelihood: LOW (legitimate Notepad++ is signed; pre-v8.8.9 unsigned versions should not exist post-December 2025)
Tuning Guidance: Allow only signed versions ≥8.8.9; block unsigned variants entirely.

Splunk SPL Query

index=windows sourcetype=WinEventLog:Sysmon EventCode=1 earliest=-90d
    (FileName="npp.*.exe" OR FileName="Notepad++*.exe"
     OR OriginalFileName="Notepad++ Installer" OR OriginalFileName="notepad++.exe")
| where SignatureStatus != "Valid"
    OR (SignatureStatus="Valid" AND Signed != "true")
    OR Signature != "*Notepad++ Contributors*"
| eval risk_level=case(
    SignatureStatus="Unsigned", "CRITICAL",
    SignatureStatus="Invalid", "CRITICAL",
    Signature != "*Notepad++ Contributors*", "HIGH",
    1=1, "MEDIUM")
| stats count, latest(_time) as last_execution, latest(ParentImage) as parent_process
    by Computer, User, Image, FileName, SignatureStatus, Signature, risk_level
| search risk_level IN ("CRITICAL", "HIGH")
| rename Computer as host, ParentImage as parent, Signature as signer
| table last_execution, host, User, Image, parent, FileName, SignatureStatus, signer, risk_level, count
| sort - risk_level, - count

// TUNING: Whitelist legitimate Notepad++ signers by certificate thumbprint if needed
// FALSE POSITIVES: Check Signature field - legitimate installers show "Notepad++ Contributors"

Microsoft KQL Query (Defender/Sentinel)

DeviceProcessEvents
| where Timestamp > ago(90d)
| where FileName =~ "npp" or FileName =~ "notepad++"
    or InitiatingProcessFileName =~ "notepad++.exe"
| where FileName endswith ".exe"
| extend is_updater =
    FolderPath contains "notepad++" or FolderPath contains "TEMP"
| where SignatureStatus != "Valid"
    or (SignatureStatus == "Valid" and SignatureInvalid == true)
| summarize ExecutionCount = count(),
    FirstExecution = min(Timestamp),
    LastExecution = max(Timestamp),
    UniqueParents = dcount(InitiatingProcessParentFileName)
    by DeviceName, AccountName, FileName, FolderPath, SignatureStatus
| where ExecutionCount >= 1
| project FirstExecution, LastExecution, DeviceName, AccountName, FileName, FolderPath, SignatureStatus, ExecutionCount, UniqueParents
| order by FirstExecution desc

// TUNING: SignatureStatus != "Valid" is the key filter
// FALSE POSITIVES: Extremely low - only pre-8.8.8 versions (should not exist anymore)

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Query 3: DNS Redirection to Notepad Update Domain

Behavior Targeted: DNS queries for notepad-plus-plus.org resolving to IP addresses outside legitimate Notepad++ hosting provider space, indicating DNS poisoning or credential abuse.
MITRE ATT&CK: T1199, T1195.002
Expected Results: DNS events for notepad-plus-plus.org resolving to IPs outside documented ranges; geographic mismatches indicating suspicious infrastructure.
False Positive Likelihood: MEDIUM (corporate DNS forwarders may alter resolution; whitelist legitimate ranges)
Tuning Guidance: Establish baseline of legitimate resolution IPs from Notepad++ provider; add geolocation analysis for suspicious ASNs.

Splunk SPL Query

index=dns earliest=-7d
    query="notepad-plus-plus.org" OR query="*.notepad-plus-plus.org"
| fields query, answer, src
| eval is_legitimate=if(
    answer IN ("104.16.0.0/12", "172.67.0.0/16", "188.114.96.0/20"),
    "YES", "NO")
| where is_legitimate="NO"
| lookup geoip answer as resolved_ip
| fields query, answer, src, Country, City, isp
| stats count, latest(_time) as last_query
    by query, answer, src, Country, City, isp
| where count >= 3
| table last_query, query, answer, src, Country, City, isp, count
| sort - count

// TUNING: Adjust count threshold - lower for sensitive, raise for noisy networks
// TUNING: Add ASN filter for suspicious regions if threat intel available

Microsoft KQL Query (Defender/Sentinel)

DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl =~ "notepad-plus-plus.org" or RemoteUrl contains "notepad-plus-plus.org"
| where ActionType in ("ConnectionSuccess", "ConnectionAttempted", "ConnectionFailed")
| extend is_legitimate_ip =
    RemoteIp startswith "104.16." or RemoteIp startswith "172.67." or RemoteIp startswith "188.114."
| where is_legitimate_ip == false
| extend suspicious_asn =
    case(
        RemoteIp startswith "124." or RemoteIp startswith "123.", "China ASN (SUSPICIOUS)",
        RemoteIp startswith "58.", "China ASN (SUSPICIOUS)",
        1=1, "Other"
    )
| summarize ConnectionCount = count(),
    FirstConnection = min(Timestamp),
    LastConnection = max(Timestamp),
    UniqueDevices = dcount(DeviceName)
    by RemoteUrl, RemoteIp, ActionType, suspicious_asn
| where ConnectionCount >= 3
| project FirstConnection, LastConnection, RemoteUrl, RemoteIp, ConnectionCount, UniqueDevices, ActionType, suspicious_asn
| order by ConnectionCount desc, suspicious_asn desc

// TUNING: Update suspicious_asn detection with real threat intelligence
// TUNING: Adjust ConnectionCount threshold (currently >=3) for sensitivity

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.

Query 4: WinGUp Registry Configuration Modification

Behavior Targeted: Modifications to Windows registry keys under HKLM\Software\Notepad++\GUP, indicating attackers modifying update configuration to persist redirection or disable signature verification.
MITRE ATT&CK: T1112, T1547.001
Expected Results: Registry modification events showing changes to UpdateUrl, disabling signature checks, or modifying update server configuration.
False Positive Likelihood: LOW (legitimate apps rarely modify Notepad++ registry; disabling security features never happens legitimately)
Tuning Guidance: Focus on modifications disabling security features (SkipSignatureCheck, DisableCertificateValidation) as high-confidence indicators.

Splunk SPL Query

index=windows sourcetype=WinEventLog:Sysmon (EventCode=12 OR EventCode=13) earliest=-7d
    (TargetObject="*Notepad*" AND TargetObject="*GUP*")
    OR TargetObject="*\\SOFTWARE\\Notepad++*"
| eval modification_type=case(
    EventCode=12, "Registry Key Created",
    EventCode=13, "Registry Value Modified",
    1=1, "Other")
| stats count, latest(_time) as last_modification, latest(Details) as final_value
    by Computer, User, Image, TargetObject, modification_type
| eval is_suspicious=case(
    TargetObject LIKE "%SkipSignatureCheck%", "CRITICAL",
    TargetObject LIKE "%DisableCertificateValidation%", "CRITICAL",
    TargetObject LIKE "%UpdateUrl%" AND NOT Details LIKE "%.notepad-plus-plus.org%", "HIGH",
    TargetObject LIKE "%ProxyUrl%" AND Details LIKE "%Internal%", "MEDIUM",
    1=1, "LOW")
| where is_suspicious IN ("CRITICAL", "HIGH")
| rename Computer as host, TargetObject as reg_key, Details as new_value
| table last_modification, host, User, Image, reg_key, new_value, modification_type, is_suspicious, count
| sort - is_suspicious, - count

// TUNING: SkipSignatureCheck or DisableCertificateValidation are CRITICAL indicators
// TUNING: UpdateUrl modifications to non-notepad-plus-plus.org domains are suspicious

Microsoft KQL Query (Defender/Sentinel)

DeviceRegistryEvents
| where Timestamp > ago(7d)
| where RegistryKey has "Notepad++" or RegistryKey has "GUP"
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| extend is_malicious =
    case(
        RegistryValueName has "SkipSignatureCheck", "CRITICAL",
        RegistryValueName has "DisableCertificateValidation", "CRITICAL",
        RegistryValueName has "UpdateUrl" and not(RegistryValueData contains "notepad-plus-plus.org"), "HIGH",
        RegistryValueName has "ProxyUrl" and RegistryValueData contains "Internal", "MEDIUM",
        1=1, "LOW"
    )
| where is_malicious in ("CRITICAL", "HIGH")
| summarize ModificationCount = count(),
    FirstModification = min(Timestamp),
    LastModification = max(Timestamp),
    UniqueProcesses = dcount(InitiatingProcessFileName)
    by DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData, is_malicious
| project FirstModification, LastModification, DeviceName, AccountName, RegistryKey, RegistryValueName, RegistryValueData, ModificationCount, UniqueProcesses, is_malicious
| order by is_malicious asc, FirstModification desc

// TUNING: SkipSignatureCheck and DisableCertificateValidation are definitive malicious indicators
// FALSE POSITIVES: Extremely low - no legitimate reason to disable signature checks

Note: These queries were generated with AI assistance. Test thoroughly in your environment before production use.