Notepad++ supply chain attack breakdown
The article details a sophisticated supply chain attack on Notepad++ that occurred from July to October 2025. Attackers compromised the update infrastructure, deploying various malicious payloads through three distinct infection chains. The attack targeted individuals and organizations in Vietnam, El Salvador, Australia, and the Philippines. The infection methods evolved over time, using NSIS installers, Metasploit downloaders, and Cobalt Strike Beacons. The attackers employed clever techniques to evade detection, including the abuse of legitimate software and the use of multiple C2 servers. The article provides a comprehensive timeline of the attack, describes the different execution chains, and offers guidance on detecting traces of the attack.
AI Analysis
Technical Summary
This supply chain attack on Notepad++ involved the compromise of its update infrastructure over a four-month period in 2025, allowing attackers to distribute malicious payloads through legitimate software updates. The attackers deployed three distinct infection chains: first, using NSIS installers to deliver initial payloads; second, leveraging Metasploit downloaders to fetch additional malware; and third, employing Cobalt Strike Beacons to establish persistent command-and-control (C2) channels. The attackers used DLL sideloading techniques to load malicious code under the guise of legitimate DLLs, and shellcode execution to evade detection. The Chrysalis backdoor was among the payloads used to maintain persistence and facilitate lateral movement. Multiple C2 servers were utilized to complicate detection and takedown efforts. The attack targeted individuals and organizations mainly in Vietnam, El Salvador, Australia, and the Philippines, but the supply chain nature means any Notepad++ user could be at risk. The attackers exploited legitimate update mechanisms (T1195) and used obfuscation (T1027), process injection (T1055), and credential access techniques (T1573) to evade defenses. Detection requires analyzing update processes, monitoring network traffic for Cobalt Strike and Metasploit indicators, and scanning for DLL sideloading artifacts. The attack demonstrates advanced adversary capabilities in supply chain compromise, persistence, and evasion, highlighting the critical need for supply chain security and robust endpoint defenses.
Potential Impact
For European organizations, the impact of this supply chain attack could be significant due to the widespread use of Notepad++ as a popular text editor in various sectors including software development, education, and administration. Compromise through trusted update channels undermines traditional security assumptions, potentially allowing attackers to execute arbitrary code, steal sensitive data, and establish persistent footholds within networks. The use of advanced tools like Cobalt Strike and Metasploit indicates potential for extensive lateral movement and data exfiltration. Disruption of business operations, intellectual property theft, and reputational damage are likely consequences. Additionally, the stealthy nature of the attack complicates detection and remediation, increasing the risk of prolonged exposure. European organizations with critical infrastructure or sensitive data are particularly at risk, as attackers could leverage this foothold for espionage or sabotage. The attack also raises concerns about the security of open-source and third-party software supply chains widely used in Europe.
Mitigation Recommendations
European organizations should implement strict verification of Notepad++ updates by validating digital signatures and hashes before installation. Employ application allowlisting to restrict execution of unauthorized installers and DLLs, particularly monitoring for NSIS installers and suspicious DLL sideloading. Enhance endpoint detection and response (EDR) capabilities to identify behaviors associated with Metasploit and Cobalt Strike, such as unusual network connections, process injections, and beaconing activity. Network segmentation and strict egress filtering can limit C2 communications. Regularly audit software supply chains and consider using software composition analysis tools to detect tampering. Educate users about the risks of supply chain attacks and encourage reporting of unusual software behavior. Maintain up-to-date backups and incident response plans tailored to supply chain compromise scenarios. Collaborate with software vendors to receive timely threat intelligence and patches. Finally, monitor threat intelligence sources for indicators of compromise related to this attack and integrate them into security monitoring systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- hash: 24b6950afd8663a46246044e6b09add8
- hash: 28cb7b261f4eb97e8a4b3b0d32f8def1
- hash: 2dc895d5611a149bfcc0d17c4f02d863
- hash: 32f3c40b0ed1c5cf23430be7f9eb7b06
- hash: 6aed7e49bd6c10c4eaee34f8c0eaa055
- hash: 8b1dee1e7178f9c4e92e9f073307b8ad
- hash: a8860bb5ccb964273b7fd2284b9dc837
- hash: a98a5062703f660195da7e419db5b686
- hash: b91ce8e219f3d31b6bd3703d79183c30
- hash: cb2741203668f77485440d2589426740
- hash: e5c5d39f785babf779801ba2ce3fa733
- hash: 06a6a5a39193075734a32e0235bde0e979c27228
- hash: 07d2a01e1dc94d59d5ca3bdf0c7848553ae91a51
- hash: 0d0f315fd8cf408a483f8e2dd1e69422629ed9fd
- hash: 13179c8f19fbf3d8473c49983a199e6cb4f318f0
- hash: 21a942273c14e4b9d3faa58e4de1fd4d5014a1ed
- hash: 259cd3542dea998c57f67ffdd4543ab836e3d2a3
- hash: 2a476cfb85fbf012fdbe63a37642c11afa5cf020
- hash: 2ab0758dda4e71aee6f4c8e4c0265a796518f07d
- hash: 3090ecf034337857f786084fb14e63354e271c5d
- hash: 46654a7ad6bc809b623c51938954de48e27a5618
- hash: 4c9aac447bf732acc97992290aa7a187b967ee2c
- hash: 573549869e84544e3ef253bdba79851dcde4963a
- hash: 6444dab57d93ce987c22da66b3706d5d7fc226da
- hash: 73d9d0139eaf89b7df34ceeb60e5f8c7cd2463bf
- hash: 7e0790226ea461bcc9ecd4be3c315ace41e1c122
- hash: 813ace987a61af909c053607635489ee984534f4
- hash: 821c0cafb2aab0f063ef7e313f64313fc81d46cd
- hash: 8e6e505438c21f3d281e1cc257abdbf7223b7f5a
- hash: 90e677d7ff5844407b9c073e3b7e896e078e11cd
- hash: 94dffa9de5b665dc51bc36e2693b8a3a0a4cc6b8
- hash: 9c0eff4deeb626730ad6a05c85eb138df48372ce
- hash: 9c3ba38890ed984a25abb6a094b5dbf052f22fa7
- hash: 9df6ecc47b192260826c247bf8d40384aa6e6fd6
- hash: 9fbf2195dee991b1e5a727fd51391dcc2d7a4b16
- hash: bd4915b3597942d88f319740a9b803cc51585c4a
- hash: bf996a709835c0c16cce1015e6d44fc95e08a38a
- hash: c68d09dd50e357fd3de17a70b7724f8949441d77
- hash: ca4b6fe0c69472cd3d63b212eb805b7f65710d33
- hash: d0662eadbe5ba92acbd3485d8187112543bcfbf5
- hash: d7ffd7b588880cf61b603346a3557e7cce648c93
- hash: defb05d5a91e4920c9e22de2d81c5dc9b95a9a7c
- hash: f7910d943a013eede24ac89d6388c1b98f8b3717
- hash: 1b5b8be1e60fb812c6d132aa8e66c180d3d605206814887dfb9116a7f4273295
- hash: 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924
- hash: 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad
- hash: 3f3c0c8feb7eb2019827904cc7614be3954abc856eefab67cd31b3bd72c3599a
- hash: 4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906
- hash: 4d4aec6120290e21778c1b14c94aa6ebff3b0816fb6798495dc2eae165db4566
- hash: 7058c0576aa256ac5251273777272e69e874c44587b9cdc4d501dd605cae3ce4
- hash: 9aa3ca96a84eb5606694adb58776c9e926020ef184828b6f7e6f9b50498f7071
- hash: c1494b4a82f3bedacaae9909601d1ebb6bf1187e402b1020108a297a263aa5db
- hash: c35bd9c41022d56df42b943c9f183a3c6e3ff23a880d14d796b6d86d0a64076a
- hash: e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda
- url: http://124.222.137.114:9999/api/Info/submit
- url: http://124.222.137.114:9999/api/updateStatus/v1
- url: http://45.32.144.255/update/update.exe
- url: http://45.32.144.255/update/update.exe.
- url: http://45.76.155.202/update/update.exe
- url: http://45.76.155.202/update/update.exe.
- url: http://45.77.31.210/users/admin
- url: http://59.110.7.32:8880/api/Metadata/submit
- url: http://59.110.7.32:8880/api/getBasicInfo/v1
- url: http://95.179.213.0/update/AutoUpdater.exe
- url: http://95.179.213.0/update/AutoUpdater.exe.
- url: http://95.179.213.0/update/install.exe
- url: http://95.179.213.0/update/update.exe
- url: http://95.179.213.0/update/update.exe.
- url: http://api.wiresguard.com/api/FileUpload/submit
- url: http://api.wiresguard.com/users/admin
- url: https://45.77.31.210/api/FileUpload/submit
- url: https://45.77.31.210/api/FileUpload/submit.
- url: https://45.77.31.210/api/update/v1
- url: https://45.77.31.210/users/admin
- url: https://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821
- url: https://api.wiresguard.com/api/FileUpload/submit
- url: https://api.wiresguard.com/api/getInfo/v1
- url: https://api.wiresguard.com/update/v1
- url: https://api.wiresguard.com/users/system
- domain: api.skycloudcenter.com
- domain: api.wiresguard.com
Notepad++ supply chain attack breakdown
Description
The article details a sophisticated supply chain attack on Notepad++ that occurred from July to October 2025. Attackers compromised the update infrastructure, deploying various malicious payloads through three distinct infection chains. The attack targeted individuals and organizations in Vietnam, El Salvador, Australia, and the Philippines. The infection methods evolved over time, using NSIS installers, Metasploit downloaders, and Cobalt Strike Beacons. The attackers employed clever techniques to evade detection, including the abuse of legitimate software and the use of multiple C2 servers. The article provides a comprehensive timeline of the attack, describes the different execution chains, and offers guidance on detecting traces of the attack.
AI-Powered Analysis
Technical Analysis
This supply chain attack on Notepad++ involved the compromise of its update infrastructure over a four-month period in 2025, allowing attackers to distribute malicious payloads through legitimate software updates. The attackers deployed three distinct infection chains: first, using NSIS installers to deliver initial payloads; second, leveraging Metasploit downloaders to fetch additional malware; and third, employing Cobalt Strike Beacons to establish persistent command-and-control (C2) channels. The attackers used DLL sideloading techniques to load malicious code under the guise of legitimate DLLs, and shellcode execution to evade detection. The Chrysalis backdoor was among the payloads used to maintain persistence and facilitate lateral movement. Multiple C2 servers were utilized to complicate detection and takedown efforts. The attack targeted individuals and organizations mainly in Vietnam, El Salvador, Australia, and the Philippines, but the supply chain nature means any Notepad++ user could be at risk. The attackers exploited legitimate update mechanisms (T1195) and used obfuscation (T1027), process injection (T1055), and credential access techniques (T1573) to evade defenses. Detection requires analyzing update processes, monitoring network traffic for Cobalt Strike and Metasploit indicators, and scanning for DLL sideloading artifacts. The attack demonstrates advanced adversary capabilities in supply chain compromise, persistence, and evasion, highlighting the critical need for supply chain security and robust endpoint defenses.
Potential Impact
For European organizations, the impact of this supply chain attack could be significant due to the widespread use of Notepad++ as a popular text editor in various sectors including software development, education, and administration. Compromise through trusted update channels undermines traditional security assumptions, potentially allowing attackers to execute arbitrary code, steal sensitive data, and establish persistent footholds within networks. The use of advanced tools like Cobalt Strike and Metasploit indicates potential for extensive lateral movement and data exfiltration. Disruption of business operations, intellectual property theft, and reputational damage are likely consequences. Additionally, the stealthy nature of the attack complicates detection and remediation, increasing the risk of prolonged exposure. European organizations with critical infrastructure or sensitive data are particularly at risk, as attackers could leverage this foothold for espionage or sabotage. The attack also raises concerns about the security of open-source and third-party software supply chains widely used in Europe.
Mitigation Recommendations
European organizations should implement strict verification of Notepad++ updates by validating digital signatures and hashes before installation. Employ application allowlisting to restrict execution of unauthorized installers and DLLs, particularly monitoring for NSIS installers and suspicious DLL sideloading. Enhance endpoint detection and response (EDR) capabilities to identify behaviors associated with Metasploit and Cobalt Strike, such as unusual network connections, process injections, and beaconing activity. Network segmentation and strict egress filtering can limit C2 communications. Regularly audit software supply chains and consider using software composition analysis tools to detect tampering. Educate users about the risks of supply chain attacks and encourage reporting of unusual software behavior. Maintain up-to-date backups and incident response plans tailored to supply chain compromise scenarios. Collaborate with software vendors to receive timely threat intelligence and patches. Finally, monitor threat intelligence sources for indicators of compromise related to this attack and integrate them into security monitoring systems.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securelist.com/notepad-supply-chain-attack/118708/"]
- Adversary
- null
- Pulse Id
- 6981e532c377aebc94f0e7a8
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash24b6950afd8663a46246044e6b09add8 | — | |
hash28cb7b261f4eb97e8a4b3b0d32f8def1 | — | |
hash2dc895d5611a149bfcc0d17c4f02d863 | — | |
hash32f3c40b0ed1c5cf23430be7f9eb7b06 | — | |
hash6aed7e49bd6c10c4eaee34f8c0eaa055 | — | |
hash8b1dee1e7178f9c4e92e9f073307b8ad | — | |
hasha8860bb5ccb964273b7fd2284b9dc837 | — | |
hasha98a5062703f660195da7e419db5b686 | — | |
hashb91ce8e219f3d31b6bd3703d79183c30 | — | |
hashcb2741203668f77485440d2589426740 | — | |
hashe5c5d39f785babf779801ba2ce3fa733 | — | |
hash06a6a5a39193075734a32e0235bde0e979c27228 | — | |
hash07d2a01e1dc94d59d5ca3bdf0c7848553ae91a51 | — | |
hash0d0f315fd8cf408a483f8e2dd1e69422629ed9fd | — | |
hash13179c8f19fbf3d8473c49983a199e6cb4f318f0 | — | |
hash21a942273c14e4b9d3faa58e4de1fd4d5014a1ed | — | |
hash259cd3542dea998c57f67ffdd4543ab836e3d2a3 | — | |
hash2a476cfb85fbf012fdbe63a37642c11afa5cf020 | — | |
hash2ab0758dda4e71aee6f4c8e4c0265a796518f07d | — | |
hash3090ecf034337857f786084fb14e63354e271c5d | — | |
hash46654a7ad6bc809b623c51938954de48e27a5618 | — | |
hash4c9aac447bf732acc97992290aa7a187b967ee2c | — | |
hash573549869e84544e3ef253bdba79851dcde4963a | — | |
hash6444dab57d93ce987c22da66b3706d5d7fc226da | — | |
hash73d9d0139eaf89b7df34ceeb60e5f8c7cd2463bf | — | |
hash7e0790226ea461bcc9ecd4be3c315ace41e1c122 | — | |
hash813ace987a61af909c053607635489ee984534f4 | — | |
hash821c0cafb2aab0f063ef7e313f64313fc81d46cd | — | |
hash8e6e505438c21f3d281e1cc257abdbf7223b7f5a | — | |
hash90e677d7ff5844407b9c073e3b7e896e078e11cd | — | |
hash94dffa9de5b665dc51bc36e2693b8a3a0a4cc6b8 | — | |
hash9c0eff4deeb626730ad6a05c85eb138df48372ce | — | |
hash9c3ba38890ed984a25abb6a094b5dbf052f22fa7 | — | |
hash9df6ecc47b192260826c247bf8d40384aa6e6fd6 | — | |
hash9fbf2195dee991b1e5a727fd51391dcc2d7a4b16 | — | |
hashbd4915b3597942d88f319740a9b803cc51585c4a | — | |
hashbf996a709835c0c16cce1015e6d44fc95e08a38a | — | |
hashc68d09dd50e357fd3de17a70b7724f8949441d77 | — | |
hashca4b6fe0c69472cd3d63b212eb805b7f65710d33 | — | |
hashd0662eadbe5ba92acbd3485d8187112543bcfbf5 | — | |
hashd7ffd7b588880cf61b603346a3557e7cce648c93 | — | |
hashdefb05d5a91e4920c9e22de2d81c5dc9b95a9a7c | — | |
hashf7910d943a013eede24ac89d6388c1b98f8b3717 | — | |
hash1b5b8be1e60fb812c6d132aa8e66c180d3d605206814887dfb9116a7f4273295 | — | |
hash2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924 | — | |
hash3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad | — | |
hash3f3c0c8feb7eb2019827904cc7614be3954abc856eefab67cd31b3bd72c3599a | — | |
hash4a52570eeaf9d27722377865df312e295a7a23c3b6eb991944c2ecd707cc9906 | — | |
hash4d4aec6120290e21778c1b14c94aa6ebff3b0816fb6798495dc2eae165db4566 | — | |
hash7058c0576aa256ac5251273777272e69e874c44587b9cdc4d501dd605cae3ce4 | — | |
hash9aa3ca96a84eb5606694adb58776c9e926020ef184828b6f7e6f9b50498f7071 | — | |
hashc1494b4a82f3bedacaae9909601d1ebb6bf1187e402b1020108a297a263aa5db | — | |
hashc35bd9c41022d56df42b943c9f183a3c6e3ff23a880d14d796b6d86d0a64076a | — | |
hashe7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://124.222.137.114:9999/api/Info/submit | — | |
urlhttp://124.222.137.114:9999/api/updateStatus/v1 | — | |
urlhttp://45.32.144.255/update/update.exe | — | |
urlhttp://45.32.144.255/update/update.exe. | — | |
urlhttp://45.76.155.202/update/update.exe | — | |
urlhttp://45.76.155.202/update/update.exe. | — | |
urlhttp://45.77.31.210/users/admin | — | |
urlhttp://59.110.7.32:8880/api/Metadata/submit | — | |
urlhttp://59.110.7.32:8880/api/getBasicInfo/v1 | — | |
urlhttp://95.179.213.0/update/AutoUpdater.exe | — | |
urlhttp://95.179.213.0/update/AutoUpdater.exe. | — | |
urlhttp://95.179.213.0/update/install.exe | — | |
urlhttp://95.179.213.0/update/update.exe | — | |
urlhttp://95.179.213.0/update/update.exe. | — | |
urlhttp://api.wiresguard.com/api/FileUpload/submit | — | |
urlhttp://api.wiresguard.com/users/admin | — | |
urlhttps://45.77.31.210/api/FileUpload/submit | — | |
urlhttps://45.77.31.210/api/FileUpload/submit. | — | |
urlhttps://45.77.31.210/api/update/v1 | — | |
urlhttps://45.77.31.210/users/admin | — | |
urlhttps://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821 | — | |
urlhttps://api.wiresguard.com/api/FileUpload/submit | — | |
urlhttps://api.wiresguard.com/api/getInfo/v1 | — | |
urlhttps://api.wiresguard.com/update/v1 | — | |
urlhttps://api.wiresguard.com/users/system | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainapi.skycloudcenter.com | — | |
domainapi.wiresguard.com | — |
Threat ID: 69821f0cf9fa50a62fd06c95
Added to database: 2/3/2026, 4:15:08 PM
Last enriched: 2/3/2026, 4:29:29 PM
Last updated: 2/7/2026, 2:12:58 AM
Views: 62
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
ThreatFox IOCs for 2026-02-06
MediumThreatFox IOCs for 2026-02-05
MediumTechnical Analysis of Marco Stealer
MediumNew Clickfix variant 'CrashFix' deploying Python Remote Access Trojan
MediumKnife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.