Key Findings

• Notepad++ update infrastructure was compromised from June to December 2025

• Attackers rotated C2 server addresses, downloaders, and final payloads over 4 months

• Attacks targeted individuals, government, financial, and IT organizations in various countries

• Kaspersky solutions were able to block the identified attacks as they occurred

Background

On February 2, 2026, the developers of Notepad++, a popular text editor among developers, published a statement claiming that the update infrastructure of Notepad++ had been compromised. This was due to a hosting provider-level incident that occurred from June to September 2025. However, attackers were able to retain access to internal services until December 2025.

Chain #1 — Late July and Early August 2025

• Attackers deployed a malicious Notepad++ update hosted at http://45.76.155[.]202/update/update.exe

• The update.exe file was a NSIS installer that sent a heartbeat containing system information to the attackers

• It then dropped and executed a legitimate ProShow software, abusing an old vulnerability to launch a malicious payload

Sources

• https://securelist.com/notepad-supply-chain-attack/118708/

• https://www.reddit.com/r/sysadmin/comments/1qv2c7k/the_notepad_supply_chain_attack_unnoticed/

• https://x.com/kucher1n/status/2018626519925477641

• https://x.com/blackorbird/status/2018675064510558237