Nation-State Actors Exploit Notepad++ Supply Chain

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://unit42.paloaltonetworks.com/notepad-infrastructure-compromise/
• Blog Title: Nation-State Actors Exploit Notepad++ Supply Chain
• Suggested Section: Pentesting Web / Supply Chain (new subsection) or Windows Local Privilege Escalation -> Dll Hijacking (add: signed-binary DLL sideloading via trojanized installers/update mechanisms) and/or Generic Hacking -> Supply-chain update hijacking (updater manifest/signature validation pitfalls, XMLDSig, certificate+signature enforcement)

🎯 Content Summary

Title / publication
Blog post: “Nation-State Actors Exploit Notepad++ Supply Chain” (Unit 42). Published February 11, 2026.

What happened (timeline + scope)
Between June–December 2025, attackers compromised the official Notepad++ hosting/update infrastructure by breaching a shared hosting provider. Unit 42 observed related activity mainly from mid‑August to November 2025.

The compromise enabled an infrastructure...

🔧 Technical Details

Supply-chain update hijack via weak update verification: When an application’s updater does not strictly validate update metadata and the authenticity of the downloaded installer (certificate + signature), an attacker who can tamper with update-server responses (e.g., via hosting/CDN/DNS/network interception) can serve a malicious manifest that redirects selected clients to attacker-controlled download URLs. The victim then downloads and executes a trojanized installer (here, an NSIS update.exe), resulting in direct endpoint code execution.

Bring-your-own signed binary + DLL sideloading for stealth execution: Bundle a legitimate signed executable that will attempt to load a DLL by name, then place a malicious DLL with that expected name (e.g., log.dll) in the executable’s DLL search path. When the signed executable runs (here, Bitdefender BluetoothService.exe), Windows’ DLL search order causes it to load the attacker’s DLL, ...

🤖 Agent Actions

Summary:

• Added a supply-chain hijack case study to the auto-updaters abuse page, covering WinGUp/Notepad++ weak update validation, manifest tampering, and trojanized NSIS installers.
• Documented operational chains (Bitdefender BluetoothService.exe DLL sideloading to Chrysalis; Lua shellcode injection to Cobalt Strike) plus hardening/detection pivots (signature enforcement, XMLDSig, mutex, gup.exe anomalies).
• Included Cortex XDR hunting queries for Bitdefender log.dll sideloading and gup.exe launching non-Notepad++ installers, and updated references with Unit 42 and Notepad++ incident details.

Tests:

• Not run (documentation-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://unit42.paloaltonetworks.com/notepad-infrastructure-compromise/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web / Supply Chain (new subsection) or Windows Local Privilege Escalation -> Dll Hijacking (add: signed-binary DLL sideloading via trojanized installers/update mechanisms) and/or Generic Hacking -> Supply-chain update hijacking (updater manifest/signature validation pitfalls, XMLDSig, certificate+signature enforcement)".

Repository Maintenance:

• MD Files Formatting: 944 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge