Notepad++ supply chain attack breakdown
3 months ago
- #supply-chain-attack
- #cybersecurity
- #Notepad++
- Notepad++ update infrastructure was compromised from June to September 2025, with attackers retaining access until December 2025.
- Attackers used multiple execution chains and payloads, rotating C2 server addresses, downloaders, and final payloads.
- Targets included individuals in Vietnam, El Salvador, and Australia, a government organization in the Philippines, a financial organization in El Salvador, and an IT service provider in Vietnam.
- Three distinct infection chains were observed, each with unique characteristics and payloads.
- Chain #1 involved a malicious NSIS installer that collected system information and deployed a Cobalt Strike Beacon via a ProShow software exploit.
- Chain #2 used a Lua script to deploy a Metasploit downloader, which then delivered a Cobalt Strike Beacon.
- Chain #3 involved DLL sideloading to deploy a custom Chrysalis backdoor, with similarities to previous Cobalt Strike payloads.
- Attackers frequently changed URLs and payloads to evade detection, with updates distributed from various domains.
- Detection methods include checking for NSIS installers, unusual DNS resolutions, and specific malicious shell commands.
- Indicators of compromise (IoCs) include malicious URLs, file hashes, and paths used in the attack.