Full Report
Miscreants will need to find another avenue for malware shenanigans Notepad++ has continued beefing up security with a release the project's author claims makes the "update process robust and effectively unexploitable."…
Analysis Summary
# Vulnerability: Notepad++ Update Process Hijacking (Lotus Blossom Campaign)
## CVE Details
- **CVE ID:** Not explicitly cited in the article (Note: This refers to the series of flaws addressed in late 2025/early 2026 leading to the "Double-Lock" security model).
- **CVSS Score:** N/A (Historically High/Critical for update hijacking)
- **CWE:** CWE-494 (Download of Code Without Integrity Check), CWE-345 (Insufficient Verification of Data Authenticity), CWE-427 (Uncontrolled Search Path Element)
## Affected Systems
- **Products:** Notepad++ and the WinGUp auto-updater component.
- **Versions:** All versions prior to **v8.9.2**. Specifically, versions prior to v8.8.9 lacked signed installer verification.
- **Configurations:** Systems utilizing the built-in auto-updater.
## Vulnerability Description
The vulnerability stems from a lack of comprehensive integrity and authenticity verification during the application update lifecycle. Attackers (identified as Lotus Blossom) compromised the update service to redirect traffic to malicious servers. Prior to recent hardening:
1. **Insecure Instructions:** The XML file containing update metadata was not verified via digital signature, allowing attackers to redirect the updater to a malicious payload URL.
2. **DLL Side-Loading:** The `libcurl.dll` dependency in the WinGUp updater was susceptible to DLL side-loading (CWE-427), allowing local execution of malicious code.
3. **Weak SSL/TLS Options:** The updater utilized insecure cURL options (`CURLSSLOPT_ALLOW_BEAST` and `CURLSSLOPT_NO_REVOKE`), potentially facilitating Man-in-the-Middle (MitM) attacks.
## Exploitation
- **Status:** **Exploited in the wild** (Attributed to Chinese state-sponsored group Lotus Blossom).
- **Complexity:** High (Requires compromise of update infrastructure or MitM capabilities).
- **Attack Vector:** Network (Redirection of update traffic).
## Impact
- **Confidentiality:** High (Full system compromise through malware delivery).
- **Integrity:** High (Unauthorized modification of software and system files).
- **Availability:** High (Potential for ransomware or system instability).
## Remediation
### Patches
- **Notepad++ v8.9.2 (or later):** Implements "Double-Lock" verification (verifies both the signed XML instructions and the signed installer).
- **Notepad++ v8.8.9:** Introduced verification of the signed installer payload.
### Workarounds
- **Disable Auto-Updater:** Users can manually disable the updater during installation via the UI.
- **Command Line Deployment:** Use the MSI package with the `NOUPDATER=1` flag:
`msiexec /i npp.8.9.2.Installer.x64.msi NOUPDATER=1`
- **Manual Verification:** Manually download installers from the official site and verify GPG signatures/hashes.
## Detection
- **Indicators of Compromise:** Unexpected network traffic from `GUP.exe` (WinGUp) to non-standard or suspicious domains.
- **Detection Methods:** Monitor for unauthorized `libcurl.dll` files in the Notepad++ directory that do not match known-good hashes. Security software should monitor for `GUP.exe` spawning suspicious child processes (e.g., PowerShell, CMD).
## References
- Notepad++ Official Release Notes: hxxps[://]notepad-plus-plus[.]org/news/v892-released/
- The Register Article: hxxps[://]www[.]theregister[.]com/2026/02/18/notepad_hardened_updates/