Notepad++ have released a new version to fix the auto update process being hijacked https://notepad-plus-plus.org/news/v889-released/
I reported the vulnerability, it is being hijacked by threat actors in China. https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9
Impacted boxes have things like FatBeehive and other tools installed, there’s hunting guides in that blog.
Notepad++ author really good btw, quick turn around.
Notepad++ have today confirmed their auto process was compromised by Chinese nation state threat actors, in a supply chain hack: https://notepad-plus-plus.org/news/hijacked-incident-info-update/
This backs up my blog from late last year, with #GAYINT threat actor mapping to Funky Stamen.
The infrastructure and update mechanisms have since been tightened. For what it’s worth - entry was to telcos and financial services with interests aligned to China. Notepad++ dev did a great job treating issue seriously.
Here’s my original blog with threat hunting suggestions: https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9
Of note - the cyber industry entirely slept through it. A cartoon porg with #GAYINT threat intelligence had to blow it up.
IOCs for Notepad++ auto update compromise. I have some more I’ll publish later.
You may notice I’d tagged the IOCs on VirusTotal as malicious months ago. https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
Kaspersky have more new IOCs for the Notepad++ activity. It’s actually different activity clusters they identitied.
They’ve got most of the IOCs I’d found now although more to come.
Kaspersky GReAT experts discovered previously undocumented infection chains used in the Notepad++ supply chain attacks. The article provides new IoCs related to those incidents which employ DLL sideloading and Cobalt Strike Beacon delivery.
A fun one about the Notepad++ incident is, although my toots about it auto deleted (I have my toots set to auto delete unless I bookmark them), it was first revealed on the Fediverse in followers only mode a few months ago - I had a thread running for it back then.
When in follower only mode, the C2 infrastructure was still up so I was still able to track it - they only burnt it down when I wrote the blog. So follow me to see nation state espionage get live tooted, I guess.
@GossiTheDog Dude, we know you're very good at what you do already, it's why we follow you!
Ok, that and Gossi Airways.
@GossiTheDog Reminds me that time when I fucked up a cyber operation of the Vietnamese intelligence...
(I didn't know that it was their operation at the time, to be honest.)
Am I missing things or does this report not line up with your findings?
https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
>For what it’s worth - entry was to telcos and financial services with interests aligned to China
Oh, that'll be the UK as well now, since Starmer's fallen into bed with Mr Xi. 😩
For six months, Notepad++ delivered malware instead of updates. Millions downloaded the infected version. This is how the attack worked and what to check on your systems.
I'm sure there's a way to spin this as a GenAI attack... PR nonsense by some AI security firm coming in 3...2..1..
@GossiTheDog Scary stuff.
Notepad++ is great. It's a must-have app for me on Windows. But I also turn off auto-update on stuff like that. It bothers me when stuff that has no business using the internet tries to use the internet... so I tend to disable it out of principle. And for me I guess it paid off this time!
@GossiTheDog Motherfuckers.
Good work my friend.
Robert Gützkow
Kevin Beaumont
David Penfold 
CryptoLek 🍉🌻
Chris
Ketumbra
VessOnSecurity
hal8999
gunstick
0xfedi
Rairii 
Alan Miller 
🇺🇦
RonnyTNL
Pete the Gopher Keeper
8tpercent
Wordmark
Dirk Hohndel
波鉄 (Hatetsu)
rwhitworth
🐦🔥nemo™🐦⬛ 🇺🇦🍉
Stu Tomlinson
K~
Ambient Sponge
Analog AI
Late Stage Mall-Emo Realism
