Notepad++ updater delivered backdoors
A hosting-provider compromise let attackers selectively redirect Notepad++ update traffic in 2025. Victims received malicious update.exe chains that led to Cobalt Strike and custom backdoors.
Story
Notepad++ disclosed in February 2026 that its update infrastructure had been silently delivering backdoors to a small set of users through most of the prior summer and fall. The compromise sat one layer below the application itself: an attacker who had taken over a hosting provider selectively redirected requests from the Notepad++ updater to attacker-controlled servers, and the rest of the chain played out inside the trust boundary users had already granted to the editor.
Notepad++ is a long-running open-source Windows text editor with a large install base, and GUP.exe is the helper process it spawns to fetch and launch new versions. Researchers at Kaspersky, who first published a detailed account of the operation, said the legitimate updater handed off to malicious update.exe binaries served from the hijacked update endpoint. Those binaries gathered host data, staged files under user profile directories, and pulled down a second stage.
Kaspersky tracked rotating delivery chains from late July through October 2025. Early chains delivered a Cobalt Strike Beacon through Metasploit-style loaders; later chains swapped in different infrastructure and custom backdoor components, with the C2 hostname cdncheck.it.com fronted by IPs including 45.76.155.202 and 45.77.31.210. The operation was narrow: Kaspersky said it observed roughly a dozen affected machines spread across individuals and organizations, consistent with targeted espionage rather than mass deployment.
The Notepad++ website's direct download path does not appear to have been affected. The value to the attacker was the updater trust boundary itself: a user who asked Notepad++ to update could receive attacker code through infrastructure that both the project and its users expected to be boring.
Affected Artifacts
- Observed
- 2025-06-01 to 2025-12-02
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- sha1:8e6e505438c21f3d281e1cc257abdbf7223b7f5a
- sha1:90e677d7ff5844407b9c073e3b7e896e078e11cd
- sha1:573549869e84544e3ef253bdba79851dcde4963a
- +6 more
- Evidence
- distribution: notepad-plus-plus.org/news/hijacked-incident-info-update, mirror: github.com/notepad-plus-plus/notepad-plus-plus, file: update.exe, process: GUP.exe , +4 more
Incident Context
- Motive
- Espionage
- Attribution
- State
- Cause
- Compromised Infrastructure
- Transitive
- No
- Actor
- Nation-state
External References
- The Notepad++ supply chain attack - unnoticed execution chains and new IoCssecurelist.com
- Notepad++ Supply Chain Attackhackingpassion.com
Source record: oss/attacks/notepad-plus-plus/meta.yaml