Notepad++ Times are hard - JordanTheITGuy

# If you read nothing else, read this >[!Important] Stop. Don't. Panic. >There is a lot of panic surrounding this popular open source tool, and potential risks as it tends to be used by Systems Administrators, making it commonly installed on sensitive machines. > >**You have three things to consider** > >1) Are you frequently targeted by Nation State Actors? If no, you likely aren't impacted. >2) If you are running the latest build (8.9.1), WinGup has been secured reducing the risk. >3) If you've checked your environment against known IOC hashes from popular threat groups and come up empty, you're probably good. > ![[noteadpadRiskeval.png]] ## Risk Evaluation The key takeaway is the *majority* of consumers of the product were not affected, let alone targeted. This attack was most similar to a SPEAR phishing attack. If your network/dns/company wasn't on the list you **weren't** in scope. The attack group likely wanted to avoid detection as long as possible, and they largely succeeded in that goal. >[!Quote] Notepad++ Team >"This was a highly selective attack by a state-sponsored group targeting specific high-value organizations. Security researchers confirmed that the vast majority of Notepad++ users were never affected" - [Important Clarification: Notepad++ Security Incident | Notepad++](https://notepad-plus-plus.org/news/clarification-security-incident/) So you're probably fine. Cool. But "probably fine" isn't where something like this ends. The ripple effects of something like this almost always hit harder than the attack itself. # Attack Overview There have been a ton of in depth reviews on the attack. I want to simplify this attack into something compressed and easier to digest, first a simple picture. ![[attackflow.png]] What was compromised in this image, is the Update server, where in simple terms a filter "are you coming from a known list" - if so, let me give you something bad. ## Phase 1 - Capture the Server In June 2025 a threat actor group, compromised the online update server, responsible for directing requests made by the self-updater tool (WinGup.exe). Regardless of depth of ownership, the server is owned this means, that for all requests coming in all things are possible. ## Phase 2 - Redirect - *SPECIFIC* requests. From June until December 2nd, 2025 (ish), when certain requests were made, some were known to be re-directed to download malicious content, including the IOC's mentioned in numerous blogs. ## Phase 3 - The Known Unknown September 2nd 2025 the attackers lost access to the compromised server, but retained access to internal Notepad++ services. November 10th 2025 - the attackers stopped being seen by researchers, but retained access to certain credentials. >[!Quote] NotePad++ Team >Even after losing server access, attackers maintained credentials to internal services until December 2, 2025, which allowed them to continue redirecting Notepad++ update traffic to malicious servers. None of the involved researches see proof of anything happening between November 10th, and December 2nd, so it's possible that no requests were routed during this time. December 2nd 2025 - all possible access is presumed to be revoked by the notepad++ team. >[!Note] Credit Nash Pherson >Thank you for reading this closely and pointing out my date mess up here, prompting me to go back and re-write it again after I had gotten some actual sleep. I think I have it correct now. I re-wrote this section three or for times between meetings originally and made an oops. ## Phase 3 - Do bad things to people who downloaded those files When files were downloaded, this then enabled the attackers a way to directly manipulate the end impacted devices. # What does this mean long term? I haven't seen too much of it just yet, but I am concerned about the secondary and tertiary impact of a successful attack like this. We saw it with Crowdstrike, and with Solarwinds, where it introduced further friction in the software acquisition process when it comes to vetting and implementing software. If you think the outcome from this is any different think again. Companies are going to be forced to aggressively look internally at their solutions, look aggressively at their infrastructure and the tools they rely on and make some hard decisions when it comes to their favorite tools. ## OSS At the end of the day Notepad++ is a massive, free open source project. Want to compile it yourself and update it yourself, well here you go read the license and build it yourself. [notepad-plus-plus/LICENSE at master · notepad-plus-plus/notepad-plus-plus](https://github.com/notepad-plus-plus/notepad-plus-plus/blob/master/LICENSE) What's unsaid here, is that a product like Notepad++ installed on millions of machines developed and maintained - FOR FREE - is not going to have an enterprise team of security specialists, monitoring things round the clock. They are not going to have, a cyberteam, monitoring every single pull request, and evaluating the security risk in product on every single new feature or plugin. This where companies, and individuals, have to help contribute to maintain these projects, or eventually the projects WILL get leveraged in future attacks. They WILL be the weakest link, and or the tools WILL stop existing. # Get it in your heads, we got lucky Brutal honesty time, and look in the mirror. As an industry, we got lucky. This is a tool that system administrators use *everywhere*. The attackers only targeted a few people. Now, it's known to be effective. The next time, the rest of the world might not be left out of the party. Stay patch current, keep constant vigilance for new behaviors in your environment with EDR/XDR platforms and maybe, just maybe, consider throwing $20 at the open source tools you use on a daily basis. # References https://notepad-plus-plus.org/assets/data/IoCFromFormerHostingProvider.txt https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/ https://securelist.com/notepad-supply-chain-attack/118708/ >[!Warning] Malicious IPs used to connect to the server from the hosting provider, are these connecting to your environment per the hosting provider: 212[.]30[.]60[.]8 94[.]190[.]195[.]237 146[.]70[.]113[.]105 194[.]114[.]136[.]211 8[.]216[.]128[.]215 116[.]251[.]216[.]119 217[.]69[.]5[.]44 188[.]166[.]199[.]140 2001[:]19f0[:]6801[:]950[:]5400[:]5ff[:]feb2 61[.]4[.]102[.]97 172[.]233[.]246[.]7 Evaluate the IOC's - Per Rapid 7 [Message from Rapid7 Chat](https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/) | | | | ----------------------- | ---------------------------------------------------------------- | | update.exe | a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9 | | [NSIS.nsi] | 8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e | | BluetoothService.exe | 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924 | | BluetoothService | 77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e | | log.dll | 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad | | u.bat | 9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600 | | conf.c | f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a | | libtcc.dll | 4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906 | | admin | 831e1ea13a1bd405f5bda2b9d8f2265f7b1db6c668dd2165ccc8a9c4c15ea7dd | | loader1 | 0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd | | uffhxpSy | 4c2ea8193f4a5db63b897a2d3ce127cc5d89687f380b97a1d91e0c8db542e4f8 | | loader2 | e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda | | 3yzr31vk | 078a9e5c6c787e5532a7e728720cbafee9021bfec4a30e3c2be110748d7c43c5 | | ConsoleApplication2.exe | b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3 | | system | 7add554a98d3a99b319f2127688356c1283ed073a084805f14e33b4f6a6126fd | | s047t5g.exe | fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a | Auxiliary malicious IOC files found by Secure List/Kapersky Hashes of malicious auxiliary files [06a6a5a39193075734a32e0235bde0e979c27228](https://opentip.kaspersky.com/06a6a5a39193075734a32e0235bde0e979c27228/results?icid=gl_sl_post-opentip_sm-team_ff1a7c10c4ae9c07&utm_source=SL&utm_medium=SL&utm_campaign=SL) — load [9c3ba38890ed984a25abb6a094b5dbf052f22fa7](https://opentip.kaspersky.com/9c3ba38890ed984a25abb6a094b5dbf052f22fa7/results?icid=gl_sl_post-opentip_sm-team_ed1b61f041a0a199&utm_source=SL&utm_medium=SL&utm_campaign=SL) — load [ca4b6fe0c69472cd3d63b212eb805b7f65710d33](https://opentip.kaspersky.com/ca4b6fe0c69472cd3d63b212eb805b7f65710d33/results?icid=gl_sl_post-opentip_sm-team_0efb43831626b598&utm_source=SL&utm_medium=SL&utm_campaign=SL) — alien.ini [0d0f315fd8cf408a483f8e2dd1e69422629ed9fd](https://opentip.kaspersky.com/0d0f315fd8cf408a483f8e2dd1e69422629ed9fd/results?icid=gl_sl_post-opentip_sm-team_177bef73d2eb98df&utm_source=SL&utm_medium=SL&utm_campaign=SL) — alien.ini [2a476cfb85fbf012fdbe63a37642c11afa5cf020](https://opentip.kaspersky.com/2a476cfb85fbf012fdbe63a37642c11afa5cf020/results?icid=gl_sl_post-opentip_sm-team_a38d42b29b7189e9&utm_source=SL&utm_medium=SL&utm_campaign=SL) — alien.ini