Notepad++ Update Hijack
BLUF
Suspected Chinese state-sponsored actors hijacked the Notepad++ software update mechanism, manipulating the WinGUP updater to deliver malicious payloads, as confirmed on Feb 2, 2026.
Executive Cost Summary
This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.
For organizations affected by the hijacking of the Notepad++ software update mechanism via compromised supply chain infrastructure:
· Low-end total cost: $1.2M – $2.0M
o (Limited endpoint exposure, rapid detection, minimal sensitive environment overlap)
· Typical expected range: $2.0M – $4.5M
o (Widespread workstation use, multi-week investigation, moderate compliance review)
· Upper-bound realistic scenarios: $4.5M – $8.0M
o (Large deployment footprint, regulated data proximity, prolonged forensic validation)
Key Cost Drivers
· Number of endpoints running vulnerable Notepad++ versions
· Time-to-detection of malicious update activity
· Presence of regulated or sensitive workloads on affected systems
· Depth of forensic investigation required to rule out lateral movement
· Cyber insurance coverage limits and state-sponsored attribution exclusions
Targeted Sectors
· Technology
· Government
· Individuals
Countries Targeted
· Primarily East Asia.
Date of First Reported Activity
· December 2025 (Initial activity)
· Feb 2, 2026 (Public disclosure).
Date of Last Reported Activity Update
· February 2, 2026.
APT Group
· Suspected Chinese state-sponsored actors.
Criminal Organization
· This is not nor suspected to be tied to a criminal organizations at this time.
IOCs
Network Indicators
· Suspicious Traffic from gup.exe
o The legitimate Notepad++ updater, gup.exe, should typically only communicate with notepad-plus-plus.org, github.com, or release-assets.githubusercontent.com. Requests to any other domains are highly suspicious.
· Third-Party File Drops
o Execution of curl.exe to call out to temp.sh for reconnaissance activity has been observed.
Host and File-Based Indicators
· Suspicious File Names
o Look for files named update.exe or AutoUpdater.exe located in the user %TEMP% folder. Notepad++ does not use these filenames for its legitimate update process.
· Invalid Digital Signatures
o Legitimate Notepad++ installers (v8.8.7 and later) should have valid digital signatures from GlobalSign. If an update binary shows an "Unknown Publisher" warning or lacks a signature, it should be treated as malicious.
· Process Anomalies
o gup.exe should only spawn explorer.exe or official Notepad++ installers (e.g., npp.8.8.x.Installer.x64.exe). Any other unusual process subspawns are indicators of compromise.
· Data Exfiltration
o Malicious binaries were observed collecting system info into a file named a.txt and uploading it to the public host temp.sh using curl.exe.
· Digital Signatures
o Any installer not signed by GlobalSign with a valid certificate status is suspect.
Vulnerability Details
· Affected Component
o The WinGUp auto-update mechanism.
· Root Cause
o A failure to properly verify the authenticity and integrity of downloaded update files, which allowed intercepted traffic to deliver malicious payloads.
· Mitigation
o Security researchers recommend upgrading immediately to Notepad++ v8.8.9 or higher, which includes mandatory signature and certificate verification for updates.
Tools Used
· WinGUP updater modification.
TTPs
Initial Access & Delivery
· T1195.002 Supply Chain Compromise
o Compromise Software Supply Chain
· Adversaries compromised a hosting provider's shared server to redirect legitimate update traffic to malicious servers.
· T1584.004 Compromise Infrastructure Server
o The attack involved the long-term compromise of a hosting server (June to December 2025) to maintain access to internal credentials and redirect update requests.
· T1566.002 Spearphishing Link (Alternate Vector)
o While the primary attack was a direct infrastructure hijack, some incidents were linked to malvertising redirecting users to fake update sites.
Execution & Exploitation
· T1204.002 User Execution: Malicious File
o Users were prompted by the legitimate WinGUp updater component to download and run what appeared to be a standard Notepad++ update, which was actually a malicious binary.
· T1203 Exploitation for Client Execution
o Attackers exploited a weakness in how the Notepad++ GUP/WinGUp component validated the integrity and authenticity of downloaded update files.
Persistence & Command and Control
· T1574.001 Hijack Execution Flow: DLL Search Order Hijacking
o Some versions of Notepad++ were specifically vulnerable to DLL hijacking, allowing attackers to execute malicious code with the application's privileges.
· T1071.001 Application Layer Protocol: Web Protocols
o The malicious updates enabled "hands-on-keyboard" activity, where threat actors used the established connection to communicate with command-and-control servers via standard web protocols.
Defense Evasion
· T1553.002 Subvert Trust Controls: Code Signing
o The hijack relied on insufficient update verification controls in older Notepad++ versions, which did not properly check digital signatures before execution.
· T1027 Obfuscated Files or Information
o Malicious updates delivered through the hijacked channel were often compromised executables designed to blend in with legitimate software to evade detection.
CVE-2023-40031
CVSS:3.1
· (7.8) /AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Score: 7.8 High).
Nessus ID
· 181867
Is CVE-2023-40031 on the KEV List?
· No
What is the CISA Patch by Date?
· Not applicable at this time
Patch Release Date
· September 2023
Primary Objectives
· Arbitrary code execution via heap buffer write overflow during UTF-16 to UTF-8 conversion.
Behavior Analysis
· The Utf8_16_Read
o Convert function fails to properly check buffer sizes
o Allows a heap overflow when opening a specially crafted file.
Delivery Methods
· Requires a victim to open a malicious text file using the affected Notepad++ version (User Interaction).
CVE-2025-49144
3.1 Vector
· (7.3) AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Nessus ID
· 240630
On KEV List
· No
CISA Patch by Date
· Not applicable at this time
Patch Release Date
· June 30, 2025
Primary Objectives
· Local Privilege Escalation (LPE) to SYSTEM level.
Behavior Analysis
· The installer insecurely searches for regsvr32.exe in the current directory before system paths (Binary Planting/DLL Hijacking).
Delivery Method
· Social engineering or clickjacking to trick users into downloading the installer and a malicious regsvr32.exe into the same directory (e.g., Downloads folder)
Mitigation
· Users should verify update sources and check for unauthorized network traffic from notepad-plus-plus.org.
Malware Names
· Unable to locate names directly related to this recent campaign
Malware Family
· Unknown at this time.
sha256
· No public campaign-wide list; varies by targeted payload.
Known Decoding Key
· Not publicly disclosed.
Verdict
· State-sponsored supply chain
· infrastructure compromise.
Primary Objectives
· Initial access and cyber espionage.
Behavior Analysis
· WinGUp (gup.exe) makes requests to non-official domains or spawns anomalous child processes (e.g., cmd.exe, PowerShell) immediately after an update attempt.
Suggested Rules / Potential Hunts
As a reminder, these are indicator rules. They are likely to be noisy.
For best results consider creating a data model and reviewing the traffic as a report.
Suricata
· Detect HTTP request for gup.xml to unexpected domains
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"POTENTIAL Notepad++ Update Hijack gup.xml Request"; content:"/gup.xml"; http_uri; sid:1000001; rev:1;)
· Detect potential malicious binary download (e.g., .exe or .zip) via GUP
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"POTENTIAL Notepad++ Malicious Installer Download"; file_data; content:"PK"; fileext:".zip"; sid:1000002; rev:1;)
SentinelOne
· Hunt for Suspicious GUP Execution Paths:
ProcessName = "GUP.exe" AND ProcessFilePath Not In ("*\\Program Files\\Notepad++\\updater\\GUP.exe", "*\\Program Files (x86)\\Notepad++\\updater\\GUP.exe")
Hunt for GUP spawning shell or suspicious processes:
ParentProcessName = "GUP.exe" AND ProcessName In ("cmd.exe", "powershell.exe", "wscript.exe", "mshta.exe")
· Hunt for rogue regsvr32.exe planted with the installer:
ProcessName = "regsvr32.exe" AND ParentProcessName ContainsCIS "Notepad++" AND ParentProcessName ContainsCIS "Installer"
· Monitor for Installer spawning non-standard binaries:
ParentProcessName ContainsCIS "npp." AND ParentProcessName ContainsCIS "Installer" AND ProcessName Not In ("Notepad++.exe", "GUP.exe")
· Hunt for unauthorized plugin creation:
Indicator = "File Creation" AND FilePath ContainsCIS "\\Notepad++\\plugins\\" AND ProcessName != "Notepad++Installer.exe"
Splunk
· GUP.exe Network Activity to Non-Official Domains
index=endpoint sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=3 Image="*\\gup.exe"
| search NOT (DestinationHostname="*.notepad-plus-plus.org" OR DestinationHostname="*.github.com" OR DestinationHostname="*.githubusercontent.com")
| stats count by Computer, Image, DestinationHostname, DestinationIp, User
· Unusual File Creation by GUP.exe
index=endpoint sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=11 Image="*\\gup.exe" TargetFilename="*.exe"
| stats count by Computer, Image, TargetFilename, User
· GUP.exe Spawning Child Processes (Potential Shell)
index=endpoint sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image="*\\gup.exe"
| stats count by Computer, ParentImage, Image, CommandLine, User
| search Image!="*\\gup.exe"
Delivery Method
· Supply Chain Attack
References
The Record Media
· hxxps://therecord.media/popular-text-editor-hijacked-by-suspected-state-sponsored-hackers
Notepad Plus Plus Org
· hxxps://notepad-plus-plus.org/news/hijacked-incident-info-update/
NVD
· hxxps://nvd.nist.gov/vuln/detail/CVE-2023-40031
· hxxps://nvd.nist.gov/vuln/detail/CVE-2025-49144
Tenable
· hxxps://www.tenable.com/cve/CVE-2023-40031/plugins
· hxxps://www.tenable.com/cve/CVE-2025-49144/plugins
