Full Report
Interesting one, has been rumbling for about a week in my circles.I’ve heard from 3 orgs now who’ve had security incidents on boxes with Notepad++ installed, where it appears Notepad++ processes have spawned the initial access. These have resulted in hands on keyboard threat actors.It is unclear exactly what is happening, and this blog is not to blame the (very good) developer of Notepad++. It’s more just to raise awareness. I should also point out it is based on incomplete information, as a full picture as to what is happening isn’t yet available — this is an evolving situation. It is also a tiny number of organisations impacted so far so other organisations shouldn’t over react.Some backstoryIn mid November, Notepad++ published an update with an interesting change, to harden the Notepad++ Updater from being hijacked to deliver something.. not Notepad++.This wasn’t given a CVE. The change itself is this:Which does this, amongst other things:How GUP worksNotepad++ uses a bespoke software updater called GUP or WinGUP. GUP sends the version in use to https://notepad-plus-plus.org/update/getDownloadUrl.php, which in turn provides a file called gup.xml, which contains a download URL for the update.What GUP retrievesThe file is grabbed, saved in %TEMP%, and then executed.How it can be abusedIf you can intercept and change this traffic, you can redirect the download to any location it appears by changing the URL in the property.This traffic is supposed to be over HTTPS, however it appears you may be to tamper with the traffic if you sit on the ISP level and TLS intercept. In earlier versions of Notepad++, the traffic was just over HTTP.The downloads themselves are signed — however some earlier versions of Notepad++ used a self signed root cert, which is on Github. With 8.8.7, the prior release, this was reverted to GlobalSign. Effectively, there’s a situation where the download isn’t robustly checked for tampering.Because traffic to notepad-plus-plus.org is fairly rare, it may be possible to sit inside the ISP chain and redirect to a different download. To do this at any kind of scale requires a lot of resources.How it is fixedIn Notepad++ 8.8.8, downloads are forced to be from github.com, which is much more difficult to intercept covertly given the amount of GitHub users.VictimsI’ve only talked to a small number of victims. They are orgs with interests in East Asia. Activity appears very targeted. Victims report hands on keyboard recon activity, with activity starting around two months ago.What to watch out forCheck for:gup.exe making network requests for other than: notepad-plus-plus.org, github.com and release-assets.githubusercontent.com.gup.exe for unusual process subspawns — it should only spawn explorer.exe, and npp* themed Notepad++ installers. For 8.8.8 and 8.8.7 they should have valid digital signatures, and be signed by GlobalSign.Files called update.exe or AutoUpdater.exe in user TEMP folder, where gup.exe has written and/or executed the files.Use of curl.exe (bundled with Windows 10 and above) to call out to temp.sh for recon activity. Example:You’ll notice above AutoUpdater.exe — which isn’t a part of Notepad++, Notepad++ doesn’t use that filename at all — executing with the parameter /closeRunningNpp, which is called by the legit Notepad++ updater process — essentially, something else is in the update chain somehow in this example. The cause isn’t known in that case but it may be related to this blog.Additional issuesSearch engines are rammed full of adverts for trojanised versions of Notepad++. If you have an incident with this, it’s worth trying to establish if you’re running a real version of the software.Notepad++ is the victim of security researchers publishing essentially bogus vulnerabilities using Generative AI and then some cyber media outlets publishing AI generated scare stories about said fake vulnerabilities — example: https://github.com/notepad-plus-plus/notepad-plus-plus/issues/17047. The context here is, a few months ago outlets were running stories about a ‘supply chain’ attack against Notepad++.. but it was actually just a nonsense DLL sideloading issue.Notepad++ supports third party extensions, in app, which users can enable with a few clicks. These extensions are pulled remotely and updated, and execute code. You’ll see them being run as subprocesses of notepad++.exe. It’s important to think about the attack surface that generates.SuggestionsDon’t panic.Make sure users are on at least Notepad++ 8.8.8, and that they’re not running unofficial versions. It’s probably worth not using the auto update process to update, but install the latest version manually from notepad-plus-plus.org.If you’re a large enterprise who package manage Notepad++ and update it, you may want to block notepad-plus-plus.org or block the gup.exe process from having internet access. You may also want to block internet access from the notepad++.exe process, unless you have robust monitoring for extensions. For most organisations, this is very much overkill and not practical.UpdatesI’ll update the post if anything particularly interesting happens, but I’ve been tooting about this on Mastodon all week, locked to followers as I wanted to gather more info.Follow me there on @[email protected], or sign up here.Small numbers of Notepad++ users reporting security woes was originally published in DoublePulsar on Medium, where people are continuing the conversation by highlighting and responding to this story.
Analysis Summary
# Incident Report: Notepad++ Updater Abuse Leading to Hands-On-Keyboard Activity
## Executive Summary
A series of targeted security incidents, observed across approximately three organizations, involve initial access traced back to the Notepad++ process. The suspected attack vector leverages potential tampering of the Notepad++ auto-updater mechanism (GUP/WinGUP) to distribute malicious payloads. These intrusions have resulted in hands-on-keyboard activity by threat actors. The situation is evolving, and the root cause linking the updater to unauthorized process spawning is under investigation, though victims are noted to have interests in East Asia.
## Incident Details
- Discovery Date: Approximately one week prior to the article's publication (rumbling in circles).
- Incident Date: Targeted activity reported to be starting around two months prior to the article's publication.
- Affected Organization: 3 organizations referenced.
- Sector: Not explicitly stated, but victims have interests in East Asia.
- Geography: Victims possess interests in East Asia.
## Timeline of Events
### Initial Access
- Date/Time: Activity reported starting around two months prior to the analysis (Circa late October/early November).
- Vector: Exploitation of Notepad++ auto-updater (GUP/WinGUP) traffic interception/tampering, potentially leading to process execution originating from Notepad++ processes.
- Details: In mid-November, Notepad++ implemented a hardening change for the updater. The GUP mechanism requests update URLs from `https://notepad-plus-plus.org/update/getDownloadUrl.php`, retrieves `gup.xml`, downloads the file to `%TEMP%`, and executes it. Attackers may intercept this HTTP/HTTPS traffic (possibly via ISP-level TLS intercept) to redirect the download to a malicious location.
### Lateral Movement
- Details: Victims reported **hands-on keyboard reconnaissance activity**, implying successful initial access led to manual exploration within the environment. Specific lateral movement techniques are not detailed, but the execution of adversary tools like `curl.exe` for recon suggests standard post-exploitation activity.
### Data Exfiltration/Impact
- Impact: The end result was confirmed **hands-on keyboard threat actors** engaging in activity (reconnaissance). Specific data loss or system damage is not detailed.
### Detection & Response
- Detection: The source of the information is based on reports from security circles, suggesting detection was based on endpoint telemetry showing anomalous behavior originating from Notepad++ processes or related updater files.
- Response Actions: The primary suggestion is to **upgrade to Notepad++ 8.8.8**, as this version forces downloads from `github.com`, making covert interception more difficult.
## Attack Methodology
- Initial Access: Malicious file delivery via modification of the Notepad++ software update mechanism (GUP traffic redirection).
- Persistence: Not explicitly detailed, but hands-on-keyboard activity suggests the ability to establish command and control.
- Privilege Escalation: Not detailed.
- Defense Evasion: Possible use of legitimate system tools like `curl.exe` (bundled with Windows) to execute recon scripts (`temp.sh`). Anomalous executables like `AutoUpdater.exe` are spawned, potentially masquerading as legitimate updater components or leveraging the existing trusted updater process chain.
- Credential Access: Not specified.
- Discovery: Suspicion of adversaries using **`curl.exe` to call out to `temp.sh` for recon activity**.
- Lateral Movement: Hands-on-keyboard reconnaissance suggests manual internal network exploration.
- Collection: Not specified.
- Exfiltration: Not specified.
- Impact: Successful delivery of control to hands-on-keyboard threat actors.
## Impact Assessment
- Financial: Not available.
- Data Breach: Not detailed, but reconnaissance implies intent to identify valuable data.
- Operational: Disruption due to active adversary presence requiring incident response.
- Reputational: Low visibility, only affecting a tiny number of organizations so far.
## Indicators of Compromise
- **Network IOCs (Process Context):** `gup.exe` making network requests to domains other than `notepad-plus-plus.org`, `github.com`, or `release-assets.githubusercontent.com`.
- **File IOCs:** Presence of files named `update.exe` or (suspiciously) `AutoUpdater.exe` in the user `%TEMP%` directory, potentially written/executed by `gup.exe`.
- **Behavioral IOCs:**
1. `gup.exe` spawning unexpected processes (should only spawn `explorer.exe` or Notepad++ installers).
2. The execution of `curl.exe` calling out to files like `temp.sh`.
3. `AutoUpdater.exe` executing with the parameter `/closeRunningNpp`.
4. Analysis of digital signatures on updater executables (for versions 8.8.7/8.8.8, look for GlobalSign signatures).
## Response Actions
- **Containment (Recommended):** Block all network access for `gup.exe` save for allowed domains (`notepad-plus-plus.org`, `github.com`). For larger enterprises, blocking internet access for `notepad++.exe` might be considered if extension monitoring is weak.
- **Eradication (Recommended):** Ensure all vulnerable installations are patched to Notepad++ 8.8.8 or later. Manually uninstall and reinstall the latest version from the official source rather than relying on auto-update during incident resolution.
- **Recovery Actions:** Verify system integrity by checking for trojanized versions of Notepad++ and confirming that only legitimate update processes executed during the sensitive period.
## Lessons Learned
- **Supply Chain Weakness:** Custom software updaters, especially those involving less standard HTTPS enforcement or reliance on less ubiquitous domains, present a targeted risk that can be exploited via network-level manipulation (e.g., ISP level TLS interception).
- **Trust Context:** Activity originating from processes associated with trusted software (like Notepad++ installers/updaters) can effectively bypass initial security controls.
- **Awareness Gap:** The incident highlights the importance of monitoring subtle changes in application update paths, as Notepad++ itself had recently hardened its updater prior to these observed incidents.
## Recommendations
1. **Immediate Patching:** Ensure all endpoints are running Notepad++ version **8.8.8 or newer**, which forces updates through `github.com`.
2. **Update Process Hardening:** Advise users to manually download and install major updates rather than relying solely on the built-in auto-update mechanism, especially if there is network-level suspicion.
3. **Endpoint Monitoring Focus:** Enhance EDR rules to specifically flag network connections or subsequent process spawns originating from `gup.exe` that deviate from expected administrative/installer behavior.
4. **External Application Diligence:** Be cautious of advertisements for software that might lead to trojanized versions of frequently used free tools. Verify the authenticity of installed software versions.