Malware News Notepad++ updater installed malware

Parkinsond said:
You mean a custom attack against a certain locoregional range of IP addresses?
Click to expand...
I don't know that; the original security researcher said "East Asia." Since it's geospecific, I was wondering about how and the IP addresses, since so far, they have identified the problems related to the Autoupdate mechanism only (still unclear mechanism of redirection, weak .exe validation, and no PHP validation).
 
  • Like
  • Hundred Points
Reactions: Zero Knowledge, Sorrento, Khushal and 1 other person
Wrecker4923 said:
I don't know that; the original security researcher said "East Asia." Since it's geospecific, I was wondering about how and the IP addresses, since so far, they have identified the problems related to the Autoupdate mechanism only (still unclear mechanism of redirection, weak .exe validation, and no PHP validation).
Click to expand...
Beaumont speculates threat actors may have intercepted traffic at the ISP level to deliver malicious updates, though this would require substantial resources.

securityaffairs.com

Notepad++ fixed updater bugs that allowed malicious update hijacking

Notepad++ addressed an updater vulnerability that allows attackers hijack update traffic due to weak file authentication.
securityaffairs.com securityaffairs.com
Click to expand...
This could explain the locoregional targeting.
 
  • Like
  • Wow
Reactions: Sorrento, Khushal and Wrecker4923
Parkinsond said:
This could explain the locoregional targeting.
Click to expand...
Yeah, that was the original speculation. The developer has since added more details, including 1) a shared compromised server and 2) possibly an internal infrastructure compromise of the hosting service, which appeared to allow ongoing redirection after server access was terminated. That's why they have moved to another hosting service.

The tweet about the GH compromise hasn't been confirmed/substantiated. Bad mark for Windows Central's tweets.

edited: updated about Github account compromise.
 
Last edited:
  • Like
  • Hundred Points
Reactions: Khushal, Zero Knowledge and Parkinsond
Wrecker4923 said:
The tweet doesn't make sense, though. You don't need the dev account takeover to fork. More details needed.
Click to expand...
X timeline is occupied by plethora of data and speculations.

If the culprit is only the update file, it represents no issue for me; except for MS Office and Edge, all apps on my PC are updated by downloading the whole new, offline installer.
 
Last edited by a moderator:
  • Like
  • HaHa
Reactions: Sorrento, Khushal, Zero Knowledge and 1 other person
SeriousHoax said:
I meant to say, of course, they can share their views but rather in their personal social media accounts and such if they want. For example, the Julian Assange case was also political and I have seen the uBO creator Raymond Hill share his views regarding the treatment of Julian Assange on his X account more than once. He was always in support of him. But he never brought those into uBO changelogs or any other uBO-related discussions.
Softwares, especially good free softwares are created for all, used by people of all backgrounds. So bringing politics into them can often create unnecessary problems.
Click to expand...
Yes but the author/dev owns and creates the software, it's their right to make what ever political statement or political view public through their software.

It's only a problem if the content is racist or abusive, but what they choose to promote is up to them. If you don't agree with their views you don't have to use it like many do.
 
  • Like
Reactions: Sorrento, Parkinsond and Khushal
Zero Knowledge said:
Yes but the author/dev owns and creates the software, it's their right to make what ever political statement or political view public through their software.

It's only a problem if the content is racist or abusive, but what they choose to promote is up to them. If you don't agree with their views you don't have to use it like many do.
Click to expand...
I already explained in my initial comment why making software political can put a target on their back. So I'm talking from that sense, not about rights or morality. People even have the right to be racist. So having the rights has nothing to do with it.
Notepad++ is an excellent software which I have been using for a long time; so the quality of the software is more important to me than his desire to add political messages. I hope the dev has tightened the security so that what has happened can be avoided in the future.
 
  • Like
  • +Reputation
  • Hundred Points
Reactions: Sorrento, simmerskool, Virtuoso and 3 others
Khushal said:
www.rapid7.com

The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit

Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom.
www.rapid7.com
Click to expand...
Screenshot_3-2-2026_94935_www.rapid7.com.jpeg


The reported IP "95.179.213.0" description
Screenshot_3-2-2026_95143_www.whatismyip.com.jpeg

www.whatismyip.com

IP WHOIS Lookup

Use the IP WHOIS lookup tool to find the assigned owner, location, and abuse-reporting details of an IP address.
www.whatismyip.com www.whatismyip.com

French, not Chinese!
 
  • Like
  • HaHa
Reactions: Sorrento, Wrecker4923, SeriousHoax and 1 other person
  • Like
  • Applause
  • Thanks
Reactions: Sorrento, Wrecker4923, Berny and 1 other person
harlan4096 said:
securelist.com

The Notepad++ supply chain attack – unnoticed execution chains and new IoCs

Kaspersky GReAT experts discovered previously undocumented infection chains used in the Notepad++ supply chain attacks. The article provides new IoCs related to those incidents which employ DLL sideloading and Cobalt Strike Beacon delivery.
securelist.com securelist.com
Click to expand...

Having checked our telemetry related to this incident, we have been amazed to find out how different and unique were the execution chains used in this supply chain attack. We identified that over the course of four months, from July to October 2025, attackers who have compromised Notepad++ have been constantly rotating C2 server addresses used for distributing malicious updates, the downloaders used for implant delivery, as well as the final payloads.
Click to expand...
Even Kaspersky found something unique and "amazing". 😮 They also repeated IOCs reported by Rapid7, which seems unusual.

We observed three different infection chains overall designed to attack about a dozen machines, belonging to:
  • Individuals located in Vietnam, El Salvador and Australia;
  • A government organization located in the Philippines;
  • A financial organization located in El Salvador;
  • An IT service provider organization located in Vietnam.
Despite the variety of payloads observed, Kaspersky solutions have been able to block the identified attacks as they occurred.
Click to expand...
Nice, now we have more targets that probably don't fit "East Asians":

Khushal said:
www.rapid7.com

The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit

Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom.
www.rapid7.com
Click to expand...
The Rapid7 article also shows telemetry from China, Taiwan, and Japan, but not S. Korea.
 
  • Like
Reactions: Sorrento and Khushal
  • Like
Reactions: Zero Knowledge, Wrecker4923 and Sorrento

You may also like...