A months-long compromise of Notepad++'s update infrastructure enabled attackers to deploy three distinct infection chains targeting developers and organizations worldwide, with security researchers uncovering novel evasion techniques and rotating payloads.
Security researchers have uncovered intricate details of a supply chain attack targeting Notepad++, the popular developer text editor used by millions worldwide. Between June and December 2025, attackers maintained persistent access to the software's update servers, deploying at least three distinct infection chains to compromised systems.
Targeted Attack Methodology
The attackers demonstrated surgical precision, selectively distributing malicious updates to specific victims including:
- Government entities in the Philippines
- Financial institutions in El Salvador
- IT service providers in Vietnam
- Individual developers across Australia, Vietnam, and El Salvador
Attackers rotated their infrastructure monthly, using different command-and-control servers (45.76.155.202, 45.32.144.255, 95.179.213.0) and constantly evolving their techniques to avoid detection. Kaspersky's analysis revealed three primary attack chains:
ProShow Exploit Chain (July-August 2025)
Abused a known vulnerability in ProShow software rather than typical DLL sideloading techniques, delivering Cobalt Strike Beacon via Metasploit downloadersLua Script Execution (September 2025)
Deployed compiled Lua scripts through legitimate Lua interpreters, using temp.sh for data exfiltrationBluetooth Service Sideloading (October 2025)
Leveraged DLL sideloading through BluetoothService.exe to deploy custom Chrysalis backdoors
Security Implications
This attack demonstrates several concerning trends:
- Supply Chain as High-Value Target: Compromising developer tools provides access to privileged systems
- Evasion Innovation: Fake shellcode padding and rotating encryption methods showed advanced anti-analysis techniques
- Hybrid Payloads: Combination of custom malware (Chrysalis) with commodity tools like Cobalt Strike
Developers and organizations should:
- Audit systems for NSIS installer artifacts in
%localappdata%\Temp\ns.tmp - Monitor for DNS requests to temp.sh and unusual User-Agent strings
- Review Notepad++ installations for IoCs listed in the full technical analysis
Ongoing Concerns
Despite Notepad++ developers regaining control in December 2025, the four-month attack window and sophisticated targeting suggest possible undiscovered compromise vectors. The incident underscores the critical need for:
- Multi-factor authentication for software update systems
- Behavioral detection beyond signature-based scanning
- Software bill of materials (SBOM) verification for critical tools
Security teams should assume attackers developed additional infection chains beyond the three confirmed methods. Continuous monitoring of developer environments remains essential as supply chain attacks grow increasingly sophisticated.
Comments
Please log in or register to join the discussion