Security Week 2607: Details of the Notepad++ User Attack

It was initially reported that the virtual server from which the updates were distributed was hacked in June 2025. According to the provider, updates were deployed on the server in September that closed access to the hackers. However, the same provider stated that the credentials for several internal services on the same server could have been used by the attackers until early December 2025. On December 9, the creators of Notepad++ resolved the issue radically by tightening checks during updates and changing the hosting service provider. On February 4, experts from Kaspersky Lab published the results of their own investigation, which revealed what happened to the victims of the attack and how long the threat was active.

From their research, two main conclusions can be drawn. First: the attack was narrowly targeted: the publication analyzes "three infection chains aimed at attacking more than 10 computers." The constant changing of addresses from which the victims received malicious files, the files themselves, and even the methods of executing the malicious code indicate that the organizers of the attack did not want to "blow" the valuable resource prematurely. The second conclusion: Kaspersky Lab's solutions successfully halted these attacks, despite the delivery of malicious code through a "trusted" channel for updating legitimate software.

In all cases, the victims of the attack received the file update.exe not from the official Notepad++ server. Instead, they were redirected to a server controlled by the attackers. When this file was executed, a message was sent to the attackers. Additionally, a directory %appdata%\ProShow was created, where the output of two commands: whoami and tasklist, was saved along with the malicious code. This system data was uploaded to the hosting temp.sh, and a link to the uploaded file was sent to the organizers. Along with the malicious code, a legitimate program ProShow was unpacked — this is a now-defunct utility for creating slideshows from photos and videos. The program exploited an ancient vulnerability known since the early 2010s, which allowed shell code to be executed. It then loaded the “payload”: the Cobalt Strike Beacon utility.

The second attack chain also changed the URLs and addresses for downloading the malicious code and communicating with the organizers. However, it used a fundamentally different method of executing the malicious code: via the Lua interpreter. The third infection variant used the legitimate program BluetoothService.exe, and the malicious code was executed through DLL sideloading. This infection variant was also described in a publication by Rapid7. An important addition to the official data from Notepad++ developers is the timeline of detected infection attempts:

The first attacks were recorded in July, a month after the presumed breach of the infrastructure. Server updates in September 2025 did not help resolve the issue. The aforementioned third attack variant with BluetoothService.exe was recorded in early October, while mid-October saw attempts to infect using the earlier attack variant that utilized the Lua interpreter. This data is partially confirmed by messages on the Notepad++ forum (example), dated late October 2025. No attacks were recorded in November of last year, and by early December, the problem was resolved both by changing the hosting provider and by strengthening the checks of the update mechanism.

Interestingly, in the update from February 5, the developers of Notepad++ recommend that corporate users install the text editor with the update system completely disabled as a radical measure. While this option may protect against the next supply chain attack, it poses an opposite risk: sooner or later, a vulnerability may be discovered in such popular software, which will have to be patched manually. The publication also analyzes how corporate solutions from "Kaspersky Lab" block such attacks based on a whole range of malicious indicators: this includes access to the "questionable" resource temp.sh, the use of built-in Windows utilities to gather system information, and outright malicious actions like ensuring software runs at startup.

What else happened

Another study by "Kaspersky Lab" analyzes the activities of the Stan Ghouls group, which targets objectives in Russia and Uzbekistan.

The past week also saw research in the security of AI services. The newly created and immediately popular "social network for robots" Moltbook, as discovered by Wiz, used an open database accessible to anyone. In the public domain were 1.5 million API tokens and 35 thousand email addresses. Another trendy innovation is the personal AI assistant OpenClaw (previously known as Clawdbot and Moltbot), which is installed locally but requires a paid subscription. OpenClaw users are attacked using the traditional method: by publishing malicious extensions (or "skills") both on GitHub and in the official repository. Installing such an extension can give attackers access to email and other private data.

A study by Datadog shows how attackers alter the configuration of the nginx web server for malicious purposes. The React2Shell vulnerability is used to compromise servers.