Full Report
Hackers associated with the Chinese government used a Trojaned version of Notepad++ to deliver malware to selected users. Notepad++ said that officials with the unnamed provider hosting the update infrastructure consulted with incident responders and found that it remained compromised until September 2. Even then, the attackers maintained credentials to the internal services until December 2, a capability that allowed them to continue redirecting selected update traffic to malicious servers. The threat actor “specifically targeted Notepad++ domain with the goal of exploiting insufficient update verification controls that existed in older versions of Notepad++.” Event logs indicate that the hackers tried to re-exploit one of the weaknesses after it was fixed but that the attempt failed...
Analysis Summary
# Threat Actor: Unnamed Chinese State-Sponsored Group
## Attribution & Identity
* **Attribution:** Hackers associated with the Chinese government.
* **Known Aliases and Associated Groups:** Not specified in detail, attribution is based on state sponsorship.
## Activity Summary
This threat actor conducted a prolonged supply chain compromise targeting the Notepad++ software update infrastructure. The compromise began sometime before September 2, when the update provider's hosting infrastructure was first compromised. The attackers maintained credentials to internal services until December 2, allowing them to sustain the campaign for an extended period (at least three months after the initial infrastructure compromise discovery). The primary goal was to exploit pre-existing vulnerabilities in update verification controls to deliver malicious payloads via trojaned updates to selected users. Attackers were observed attempting to re-exploit a vulnerability after it had been patched, indicating persistence and focus on the specific security gap.
## Tactics, Techniques & Procedures
* **Initial Access/Compromise:** Compromising the update infrastructure hosting provider.
* **Supply Chain Compromise:** Trojaning the Notepad++ software updates to deliver malware.
* **Exploiting Vulnerabilities:** Specifically targeted Notepad++ domain infrastructure to exploit "insufficient update verification controls" in older software versions.
* **Persistence:** Maintained credentials to internal services even after the initial infrastructure compromise was discovered (until December 2).
* **Evasion/Reconnaissance:** Attempted to re-exploit patched weaknesses (indicates monitoring/testing of defenses).
* **MITRE ATT&CK IDs:** Not explicitly mentioned in the text, but the operation aligns with **T1195: Supply Chain Compromise**.
## Targeting
* **Sectors:** General software users susceptible to updates for Notepad++; specific sectors are not detailed.
* **Geography:** Not specified.
* **Victims:** "Selected users" who received the trojaned Notepad++ updates.
## Tools & Infrastructure
* **Malware Families Used:** Trojaned version of Notepad++ used to deliver undisclosed malware.
* **Infrastructure (C2, Domains, IPs):** The threat actor redirected selected update traffic to **malicious servers** controlled by the threat actor. (No specific infrastructure details provided/defanged).
## Implications
This represents a high-impact, sophisticated supply chain attack targeting a widely used software utility (Notepad++). The prolonged period of access (compromise lasting from at least September 2 to December 2, even after discovery) suggests the actors prioritized maintaining remote access for continued delivery or data exfiltration. The attempt to re-exploit a fixed weakness confirms the high value placed on compromising the update mechanism.
## Mitigations
* Immediately update Notepad++ to at least version **8.9.1** (or later, as this is the version explicitly mentioned as having fixed at least one exploited weakness).
* Review and strengthen controls over third-party providers hosting critical infrastructure (update servers).
* Implement strict *code signing verification* and *integrity checks* for all software updates to counter insufficient update verification controls.
* Audit internal service credentials, especially those accessing update distribution mechanisms, following any infrastructure compromise.