Notepad++: Update Mechanism Compromised by State‑Sponsored Actors
- Security Team
- 23 hours ago
- 2 min read
The ICS Labs CTI has identified the active exploitation of a supply chain compromise involving Notepad++, a widely used text editor in corporate and technical environments.
According to the project maintainer, state‑sponsored actors compromised the hosting provider’s infrastructure, enabling the interception and selective redirection of update traffic from WinGUp (Notepad++’s updater), without exploiting any direct vulnerabilities in the application’s source code.
The malicious activity is estimated to have begun in June 2025 and remained active for more than six months before being publicly detected.
Threat Overview
The campaign is characterized as a sophisticated, targeted, and stealthy attack exploiting weaknesses in the integrity and authenticity verification process of Notepad++ updates.
Key characteristics observed:
Redirection of update traffic to malicious servers
Distribution of tampered executables (poisoned binaries)
Highly targeted attack affecting only specific subsets of users
Infrastructure‑level exploitation (hosting provider)
Independent research attributes the activity to the Violet Typhoon (APT31) group, previously linked to cyber‑espionage campaigns conducted by Chinese state‑sponsored actors.
Recommended Actions
Monitor and restrict automatic updates of Notepad++ in corporate environments.
Validate hashes and digital signatures of installed program binaries.
Review firewall and EDR logs for suspicious downloads and anomalous execution of the WinGUp updater.
Enable alerts for newly created binaries and unexpected outbound connections following updates.
Hardening and Protection Measures
Centralize software distribution through trusted internal repositories.
Scan endpoints where the software was updated between June and December 2025.
Apply the principle of least privilege.
Update Notepad++ to its latest version.
IOCs:
INDICATORS | TYPE |
Notepad++ updates outside the official domain | Event |
Hash divergence between installed versions | Signature |
Communication with unknown infrastructure during Notepad++ update processes | Event |
95.179.213.0 | IP |
api[.]skycloudcenter[.]com | Domain |
api[.]wiresguard[.]com | Domain |
61.4.102.97 | IP |
59.110.7.32 | IP |
124.222.137.114 | IP |
Latest Updates
June 2025: Estimated start of the exploitation.
September 2025: Malicious actors lose access to the hosting provider’s server.
December 9, 2025: Official Notepad++ blog reports that its updater traffic is being redirected to malicious servers due to a WinGUp vulnerability.
December 2025: Credentials allowing attackers to access internal provider services—even without server access—are disabled.
February 2, 2026: Official Notepad++ blog publishes detailed incident analysis carried out by security specialists.
February 5, 2026: Official blog publishes an article clarifying user questions and sharing IOC sources.
Comments