Malware News Notepad++ updater installed malware

[Kongo]

Content source

https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html

The updater integrated into Notepad++ has allowed itself to be infiltrated by malware, which has been installed on some PCs. The developer of the powerful open-source text editor is responding with an update to Notepad++ v8.8.9. Users currently have to perform the update manually.


In a news post on the Notepad++ website, developer Don Ho explains that "some security experts have reported incidents where internet traffic affecting Notepad++ was intercepted." According to the post, investigations have revealed that traffic from the Notepad++ updater WinGUp "was occasionally redirected to malicious servers, leading to the download of compromised executable files." IT security researcher Kevin Beaumont reports that at least three organizations "with interests in South Asia" have been targeted in this way.

 

[Bot]

This incident is basically a targeted abuse of the old Notepad++ updater mechanism (WinGUp), not a full compromise of the official Notepad++ website or installer itself.

From what you quoted and what’s publicly known:

• Attackers managed to intercept some updater traffic (likely via network-level attacks like DNS/HTTP interception or MiTM).
• When Notepad++’s WinGUp checked for updates, its traffic was sometimes redirected to a malicious server.
• That malicious server provided trojanized executables instead of legitimate Notepad++ updates.
• So far, reports suggest this was targeted against “a small number” of organizations, not a mass, global compromise.
• The developer responded with Notepad++ v8.8.9 and requires a manual update, which likely changes/locks down the update mechanism.

I can’t verify the exact technical changes in 8.8.9 beyond what’s stated in the official news post, but the general idea is: fix/disable the vulnerable updater behavior and enforce safer update handling.

What regular users should do

1. Update manually from the official site
   Go directly to:
   Notepad++
   
   Download the latest installer from there (not from third-party download portals) and install over your existing Notepad++.
   
2. Verify the download as much as possible
   If the developer provides hashes or signatures in the release notes, compare them. If not:
   • Submit the installer to VirusTotal before running.
   • Make sure your security suite is active and up to date, then run the installer.
3. Check your existing installation
   If you’ve used the built-in updater recently (especially on a corporate or “interesting” network), I would:
   • Run a full, up-to-date scan with your main AV/EDR.
   • Optionally scan with a second opinion scanner (e.g. Malwarebytes, ESET Online Scanner, Kaspersky Virus Removal Tool).
   • Look for any unusual executables in the Notepad++ folder and its subfolders (but don’t delete things blindly).
4. For organizations / admins
   If you manage endpoints in a company:
   • Check network logs or proxy logs for Notepad++ update URLs resolving to or redirecting through non-official domains.
   • If you have EDR, hunt for recent Notepad++-related executables that aren’t signed by “Don Ho” or the expected vendor.
   • Roll out the latest Notepad++ version via your normal software distribution instead of relying on the internal updater.

How serious is it?

• It’s serious for the specific targets where traffic was intercepted and replaced with malware (this is essentially a form of supply-chain-style attack via the update channel).
• For the average home user on a normal ISP, there’s no strong evidence this was widespread, but caution is still warranted.
• The key risk window is: using the integrated updater before v8.8.9, while your traffic was being tampered with.

If you’re unsure whether you were affected

• Update manually to 8.8.9+ from the official site.
• Run one or two reputable malware scans.
• If this is a work machine or you’re in a sensitive region/sector (especially “interests in South Asia” as mentioned), consider involving your IT/security team. They can check logs, network traces, and do proper incident response.

If you can share:

• Your current Notepad++ version, and
• Whether you used the built-in updater recently and on what kind of network (home, corporate VPN, etc.),

I can suggest more specific checks that would make sense in your case.

 

[Wrecker4923]

TL;DR: It may be better to read the developer's note rather than the details in the media and even some details/speculations from the original security researcher's report.

Ha, this is an evolving piece, and it's clearly better to look at the details from the source documents:

From Notepad++ 8.8.9 release note:

2025-12-09

Some security experts recently reported incidents of traffic hijacking affecting Notepad++.According to the investigation, traffic from WinGUp (the Notepad++ updater) was occasionally redirected to malicious servers, resulting in the download of compromised executables.

The review of the reports led to identification of a weakness in the way the updater validates the integrity and authenticity of the downloaded update file. In case an attacker is able to intercept the network traffic between the updater client and the Notepad++ update infrastructure, this weakness can be leveraged by an attacker to prompt the updater to download and executed an unwanted binary (instead of the legitimate Notepad++ update binary). To mitigate this weakness and address the hijacking’s concerns raised by the security researchers, a new security enhancement is being introduced in this release of Notepad++.

Mitigation:Starting with this release, Notepad++ & WinGUp have been hardened to verify the signature & certificate of downloaded installers during the update process. If verification fails, the update will be aborted.

Status:The investigation is ongoing to determine the exact method of traffic hijacking. Users will be informed once tangible evidence regarding the cause is established.

TL;DR: They still haven't reported how the network traffic redirect happened. If you read the above, it might just have appeared that once the file is downloaded, the signature and certificate may not have been checked properly in the earlier versions.

From Kevin Beaumont's report:

Victims​

I’ve only talked to a small number of victims. They are orgs with interests in East Asia. Activity appears very targeted. Victims report hands on keyboard recon activity, with activity starting around two months ago.

The victims appear to be from East Asia, not South Asia as reported by heise.de above.

I should also point out it is based on incomplete information, as a full picture as to what is happening isn’t yet available — this is an evolving situation.

So, the explanations he gave later may be incomplete, speculative, or (in my opinion) not well explained.

How it can be abused​

If you can intercept and change this traffic, you can redirect the download to any location it appears by changing the URL in the <Location> property.

This traffic is supposed to be over HTTPS, however it appears you may be to tamper with the traffic if you sit on the ISP level and TLS intercept. In earlier versions of Notepad++, the traffic was just over HTTP.

He certainly didn't explain how TLS, with the public/private key verification, was circumvented, even if they might have managed to reroute the destination server to another IP (ISP rerouting? That's a big claim).

The downloads themselves are signed — however some earlier versions of Notepad++ used a self signed root cert, which is on Github. With 8.8.7, the prior release, this was reverted to GlobalSign. Effectively, there’s a situation where the download isn’t robustly checked for tampering.

Sure, it was a self-signed root cert, and the public portion of it was (is?) available on GitHub for self-installation (to verify the certificate), but he didn't explain how the private portion, used to sign the binaries, may have leaked. If the leak was true, even a publicly certified certificate wouldn't have saved this situation either.

---

 

[lokamoka820]

I switched to Notepad3, which is more than enough for my needs.

 

[Brownie2019]

Recent Notepad++ releases address a vulnerability that has allowed threat actors to hijack the free source code editor’s updater.

Security researcher Kevin Beaumont reported in early December that a handful of organizations using Notepad++ had reported experiencing security incidents involving the code editor.

Beaumont said in an update this week that the attacks appeared to have been carried out by threat actors in China, with the attackers leveraging a Notepad++ vulnerability for initial access to the systems of telecoms and financial services firms in East Asia.

Notepad++ developers seem to have known about issues with the updater since at least mid-November, when version 8.8.8 release notes mentioned a security enhancement designed to prevent the application’s updater from being hijacked.

In a post published this week to announce the release of version 8.8.9, Notepad++ confirmed that traffic from the updater (WinGUp) was in some cases redirected to malicious servers, which resulted in compromised executable files being downloaded to the victim’s system.

Notepad++ developers’ investigation led to the discovery of a flaw in the way the updater validates the authenticity and integrity of update files.
In the latest version, Notepad++ and the WinGUp component verify the signature of downloaded installers during the update process, and the update is not performed if the check fails.

However, it has yet to be determined exactly how traffic has been hijacked in the wild.

Beaumont, who described the campaign as a supply chain attack, believes threat actors may be hijacking traffic at the ISP level to push malicious updates, but pointed out that significant resources are required to conduct such an attack.

Notepad++ Patches Updater Flaw After Reports of Traffic Hijacking

Recent Notepad++ releases address a vulnerability that has allowed threat actors to hijack the free source code editor’s updater.

www.securityweek.com

 

[Bot]

This is a pretty significant reminder that even “simple” tools like editors can be used for initial access.

What seems to have happened
From what you quoted and what’s publicly known so far:

• The weakness was not in the Notepad++ binaries themselves, but in the updater component (WinGUp).
• The updater’s integrity/authenticity checks were insufficient, so if an attacker could redirect the updater’s traffic, they could feed it a malicious “update” EXE.
• Notepad++ devs have now:
  • Improved the updater logic.
  • Added signature verification of downloaded installers in 8.8.9 (and 8.8.8 already mentioned related hardening).
• The exact traffic hijack method in the wild is still unclear, but the suggestion is some sort of network-level redirection (e.g. at ISP or similar).

So the attack chain, simplified, looks like:

Notepad++ → checks for update → traffic hijacked → malicious installer delivered → attacker gains code execution under the user’s context.​

Who is realistically at risk?
Based on what’s been shared:

• So far this looks targeted: telecoms and financial organizations in East Asia.
• The campaign likely required substantial access/resources (e.g. ISP-level manipulation), not run-of-the-mill home router malware.
• There’s no evidence (currently) that every Notepad++ user worldwide was being mass-targeted.

That said, the underlying flaw is generic: if someone can hijack your traffic, this is exactly the kind of weakness they’d abuse.

What you should do as a regular user

• Update Notepad++ to the latest version (at least 8.8.9 or newer).
  • Prefer downloading the installer directly from the official site: Notepad++
  • Avoid third‑party mirrors when something like this is in the news.
• Consider a fresh reinstall if you’re paranoid or were using a vulnerable build in a high‑risk environment:
  • Uninstall existing Notepad++.
  • Download current installer from official site.
  • Install fresh.
• Run a reputable AV/EDR scan on your system:
  • Use your main security suite to do a full scan.
  • Optionally, add a second opinion scanner (e.g. ESET Online Scanner, Kaspersky Virus Removal Tool, etc.).

I can’t tell you whether your Notepad++ installation was abused – that would require logs and forensic analysis – but the above steps are prudent.

Extra steps for more security‑conscious / enterprise users

• Check your logs:
  • Windows Event Logs around the times Notepad++ was updated.
  • Notepad++ installation/update folders for unexpected EXEs or DLLs.
• Verify binaries from that period:
  • Check digital signatures on Notepad++.exe and related files (right‑click → Properties → Digital Signatures).
  • If signatures look off or missing, replace with a clean install and investigate further.
• Harden update traffic where possible:
  • Restrict outbound traffic from sensitive servers.
  • Use HTTPS/TLS interception and inspection with validation to spot tampered downloads (if acceptable in your environment).
  • Prefer software that supports strong, enforced code-signing and secure update channels.

Bottom line
If you use Notepad++:

• Update to the latest version now (8.8.9+).
• Download only from the official site.
• Run a full AV scan if you were on older builds, especially in a high‑risk or corporate environment.

If you’re in an affected sector or region and suspect compromise, it’s best to involve your internal security team or a professional incident response firm, and also keep an eye on official Notepad++ announcements for more technical details as they surface.

 

[Zero Knowledge]

This is the problem, update or get hacked, now it's update and get hacked. Supply chain is the new cool, can't compromise apps then go up the chain.

 

[Wrecker4923]

I am beginning to doubt the auto-update/auto-download mechanisms of different software, as the level of carefulness seems to vary. This one didn't check the signature (before the update); an AV vendors downloaded using HTTP instead of HTTPS. I have started wondering if always downloading a new installation would be a better strategy because, at least, people almost always run these through VirusTotal (and the associated automatic sandboxes). This is not fool-proof, but at least there have been more checks on the new packages.

 

[Parkinsond]

always downloading a new installation

I prefer for another reason; I reinsall W frequently; it would be easier to install the latest version of the programs, instead of installing an older one and then updating each.

 

[Khushal]

Notepad++ Hijacked by State-Sponsored Hackers | Notepad++

notepad-plus-plus.org

 

[Parkinsond]

Notepad++ Hijacked by State-Sponsored Hackers | Notepad++

notepad-plus-plus.org

Hijacked update sever; not the user fault and unavoidable.

 

[Sorrento]

Just had to look as I'm using an alternative Notepad, & its Notepad Classic, this is why this forum is so useful as I may not know of such things.

 

[Parkinsond]

Just had to look as I'm using an alternative Notepad, & its Notepad Classic, this is why this forum is so useful as I may not know of such things.

Me too; it's pre-installed on W 11 IoT LTSC, simple, fast, and just do the job intended to.
If you need dark mode badly, there is a registry file to apply, but I avoid playing with registry using files from untrusted sources.

 

[Sorrento]

What is the registry fix plz? (i deeply, deeply apologise for any comments I made on here earlier about yourself, I think my computer is compromised)

 

[Parkinsond]

What is the registry fix plz? (i deeply, deeply apologise for any comments I made on here earlier about yourself, I think my computer is compromised)

https://www.softpedia.com/get/Office-tools/Text-editors/Notepatch.shtml

 

[Sorrento]

Thank you ! I cannot like your post so doing it here

 

[Wrecker4923]

Multiple independaent security researchers have assessed that the threat acotor is likely a Chinese state-sponsored group, which would explain the highly selective targeting obseved during the campaign.

...

According to the former hosting provider, the shared hosting server was compromised until September 2, 2025. Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers. The attackers specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.

...

I estimate the overall compromise period spanned from June through December 2, 2025, when all attacker access was definitively terminated.

...

To address this severe security issue, the Notepad++ website has been migrated to a new hosting provider with significantly stronger security practices.
Within Notepad++ itself, WinGup (the updater) was enhanced in v8.8.9 to verify both the certificate and the signature of the downloaded installer. Additionally, the XML returned by the update server is now signed (XMLDSig), and the certificate & signature verification will be enforced starting with upcoming v8.9.2, expected in about one month.

I wonder how they targeted the users: by IP addresses? That would mean they already have a list of IPs of interest. But the CGNAT IPv4 IPs + Android-Windows IPv6 IPs change all the time.

 

[Parkinsond]

I wonder how they targeted the users: by IP addresses? That would mean they already have a list of IPs of interest. But the CGNAT IPv4 IPs + Android-Windows IPv6 IPs change all the time.

I have doubts regarding targeting specific users; they just tampered the update servers; do they control which IP connects to which server?!

 

[Parkinsond]

In response to this episode, Notepad++ has dropped its previous shared hosting arrangement for a provider with better security protocols. This shift highlights the need for developers to ensure third parties that they rely on also have a robust security posture.

If you have attempted to update Notepad++ between June and December, you may have accidentally downloaded malicious binaries. The attackers used known weaknesses in older versions of the software, such as insufficient update verification controls, to facilitate the compromise.

Users are advised to ensure they are running at least version 8.8.9.

https://www.neowin.net/news/how-to-protect-your-system-following-the-notepad-update-server-compromise/

 

[Divergent]

Technical Analysis & Remediation

Attack Vector & Mechanism

Infrastructure Hijack
Attackers gained access to the Notepad++ hosting provider (likely via compromised credentials) and modified the server responses for notepad-plus-plus[.]org.

Updater Exploitation
The WinGUp (gup[.]exe) component in older versions fetched an XML manifest (gup.xml) over HTTP or weakly validated HTTPS. Attackers injected a malicious <Location> tag pointing to their own servers.

Payload Delivery
The redirected updater downloaded a malicious binary (often named AutoUpdater[.]exe or update[.]exe) to the user's %TEMP% directory and executed it.

MITRE ATT&CK Mapping

T1195.002
(Supply Chain Compromise: Compromise Software Supply Chain)

T1105
(Ingress Tool Transfer)

T1071.001
(Application Layer Protocol: Web Protocols - Traffic Redirection)

T1204.002
(User Execution: Malicious File)

Evidence & Indicators of Compromise (IOCs)

Note
Hash values vary by target due to the selective nature of the attack.

File Artifacts
%TEMP%\AutoUpdater[.]exe

%TEMP%\update[.]exe

Process Behavior
gup[.]exe spawning curl[.]exe (bundled with Windows 10+) to contact external sites.

gup[.]exe spawning cmd[.]exe or powershell[.]exe (Legitimate updater should typically only spawn explorer[.]exe or the installer).

Network Artifacts
Traffic to temp.sh (Used for reconnaissance/staging).

gup.exe making requests to domains other than:

notepad-plus-plus[.]org

github[.]com

release-assets.githubusercontent[.]com

Remediation - THE ENTERPRISE TRACK (SANS PICERL)

Phase 1: Identification & Containment

Network Block
Immediately block outbound traffic from gup.exe at the firewall/EDR level.

Hunt Query (EDR/SIEM)
Search for gup[.]exe process trees.

Logic
ParentProcessName == 'notepad++[.]exe' AND ProcessName == 'gup[.]exe' AND ChildProcessName != 'explorer[.]exe' (Flag curl[.]exe, cmd[.]exe, powershell[.]exe).

Vulnerability Scan
Identify all endpoints running Notepad++ versions < 8.8.9.

Phase 2: Eradication

Update Enforcement
Deploy Notepad++ v8.8.9 (or v8.9.2 if available) immediately. These versions enforce strict GPG signature verification of the update manifest and binary.

Purge Artifacts
Delete any AutoUpdater.exe or update.exe found in %TEMP% or %AppData%\Local\Temp created by the gup process.

Phase 3: Recovery

Validation
Verify the new installation's integrity by checking the digital signature on notepad++[.]exe and gup.exe.

Policy Update
Consider disabling the "Auto-Update" feature via GPO/Configuration for high-value assets and managing updates via a centralized SCCM/Intune pipeline.

Phase 4: Lessons Learned

Supply Chain Visibility
Review third-party software update mechanisms. Applications using non-standard updaters (like WinGUp) often lack the rigorous security controls of OS-level updaters.

Remediation - THE HOME USER TRACK

Priority 1: Safety

Stop the Updater
Do not use the "Plugins Admin" or built-in "Update Notepad++" feature until you have manually installed the latest version.

Manual Update
Download the latest installer directly from the official notepad-plus-plus.org website or their official GitHub release page.

Priority 2: Persistence Removal

Check Temp Folders
Press Win + R, type %TEMP%, and hit Enter. Look for suspicious .exe files created around the time you last updated Notepad++. Delete them.

Scan
Run a full offline scan with Microsoft Defender or a reputable second-opinion scanner (e.g., Malwarebytes).

Hardening & References

Tactical Hardening
If you are in a high-risk environment, disable the auto-updater by renaming or deleting gup.exe in the Notepad++ installation directory (usually C:\Program Files\Notepad++\updater).

References

Kevin Beaumont (DoublePulsar) Report

Heise Online Article

Notepad++ v8.8.9 Release Announcement

Incident Report: Hijacked Incident Info Update

Official Download Site