Hunting the Notepad++ Update Hijack

crashpn1 pts0 comments

Hunting the Notepad++ Update Hijack

Skip to main content

Nebulock Raises $25M Series A Funding

Close Announcement Banner

BLOG

Book a Demo

BLOG

Book a Demo

Hunt Mode

Hunting the Notepad++ Update Hijack

Jarrett Polcari<br>Lead Detection Engineer

Feb 18, 2026

On This Page

TOC Element

Share:

Hunt Mode with Nebulock<br>This series breaks down modern threats by focusing on the one thing attackers cannot hide: behavior . It centers on the actions, decisions, and required steps that expose autonomous tooling misuse. Rather than replying on signatures or package names, Hunt Mode focuses on the behaviors that remain consistent even as frameworks change. This is guidance on how to baseline, hunt, and validate activity in your environment. To hunt these behaviors in this post, you need visibility into process execution and parent-child relationships. EDR process logs and standard endpoint telemetry are sufficient to operationalize every behavior in this breakdown.<br>Over the last year, software supply-chain attacks have shifted from occasional, high-profile incidents into a repeatable and increasingly preferred intrusion technique.<br>Attackers have learned that compromising how software is delivered is often easier and more effective than exploiting vulnerabilities in the software itself. Update mechanisms, build pipelines, package repositories, and hosting providers have all recently become targets because they are often overlooked and treated with implicit trust.<br>When software deviates from its usual behavior that provides us as hunters an opportunity to identify those shifts. Below we will dive into some of the ways the Notepad++ updater exhibited unexpected behavior and how we can look for it.<br>Several excellent technical breakdowns of this incident have already been published by the Notepad++ team, Rapid7, and Censys. Rather than repeating that work, we’ll treat those findings as ground truth and focus on what a hunter should have noticed while the activity was unfolding.<br>Supply Chain Compromise<br>In the Notepad++ incident, attackers did not exploit a vulnerability in the editor. Instead, they compromised portions of the update delivery infrastructure and used that access to selectively serve malicious installers to a small set of users.<br>Only a targeted subset of systems received the trojanized updates. There was no mass campaign, no noisy distribution, and no obvious indicators that something was wrong at scale.<br>From a defensive standpoint, this is the kind of activity that can slip past reputation-based controls, hash allowlists, and trusted application controls.<br>Why Notepad++ is a Good Hunt Case<br>This supply chain update hijack is a great case for looking at deviations from behavioral baselines.<br>There is nothing inherently suspicious about:<br>Notepad++ running<br>An updater checking for new versions<br>An installer executing

The suspicious behavior becomes apparent when you understand the expected patterns and observe the deviations.<br>Behavioral Chain Overview<br>This is the high-level summary of the compromised update flow:<br>Notepad++ is launched<br>The built-in updater (gup.exe) checks for updates<br>Update traffic is redirected to attacker-controlled infrastructure<br>A malicious installer is downloaded and executed<br>The installer drops and launches a backdoor<br>Post-compromise behaviors begin

Let’s examine opportunities that present themselves throughout this chain.<br>Network Behavior from Trusted Updaters<br>The updater was doing what it always does: checking for updates. The difference was where it was checking.<br>By examining the domains the updater typically reaches out to for updates, you can identify changes or newly seen domains.<br>Baseline Expectations<br>A legitimate updater should:<br>Contact a small, stable set of vendor-controlled domains<br>Resolve to predictable infrastructure<br>Rarely introduce new destinations without a clear reason<br>What to Hunt<br>Update processes connecting to unfamiliar domains or raw IP addresses<br>DNS requests that don’t align with known vendor infrastructure<br>TLS certificates that don’t match expected publisher identity<br>Update traffic bypassing normal egress or proxy paths

This could potentially be a blindspot. Many environments allowlist update traffic and never revisit it or it’s often removed from investigative or detection queries due to it being labeled as noise.<br>Update Mechanism Behavior<br>In this instance, the legitimate gup.exe used by Notepad++ to download updates was redirected to a malicious update package.<br>Baseline Expectations<br>Before you hunt, you should know:<br>Where gup.exe normally resides on disk<br>What processes it typically spawns<br>What domains it typically reaches out to for updates<br>How update execution usually looks in your environment

Knowing these details can help you understand and build a baseline for update behavior within your environment.<br>What to Hunt<br>gup.exe (and other updaters) spawning unexpected child processes<br>Installer execution chains that don’t match prior update behavior<br>Update...

update notepad hunt behavior from updater

Related Articles