- February 4, 2026
Notepad++ Breach Advisory
On December 9th, text editor application Notepad++ reported an incident where some of their software update infrastructure had been hijacked to deliver sophisticated backdoor malware to specific targets. Rapid7 published some additional analysis on one of the payloads delivered and attributed the campaign to Chinese state sponsored APT group Lotus Blossom.
Executive Summary
On December 9th, text editor application Notepad++ reported an incident where some of their software update infrastructure had been hijacked to deliver sophisticated backdoor malware to specific targets. Rapid7 published some additional analysis on one of the payloads delivered and attributed the campaign to Chinese state sponsored APT group Lotus Blossom.
The attack appears to be highly targeted, as reporting indicates only specific traffic results in malicious packages delivered. Reporting from Kaspersky added that attacker infrastructure was constantly rotated and tailored to attack specific intended targets.
The incident was a man-in-the-middle attack against the update infrastructure, not against Notepad++ code itself. Because the attack compromised the update process, Beazley Security, out of an abundance of caution, recommends affected users delete existing versions of Notepad++ and install fixed versions from scratch as soon as possible.
Affected Systems or Products
Product | Affected Version | Fixed Version |
|---|---|---|
Notepad++ | < v.8.8.9 | >= v8.8.9 |
Patches
Security fixes were made available at the time of reporting and are available via normal update channels. Because the attack compromised the update process, Beazley Security, out of an abundance of caution, recommends users delete current installs of Notepad++ and install patched versions from scratch as soon as possible.
Indicators of Compromise
IOCs have been provided by both Rapid7 and Kaspersky, though their usefulness may be limited as the threat actor has been observed rotating out almost all pieces of infrastructure from C2 servers to malware families and payload hashes.
That said, we will include a limited summary of them here to assist with threat hunts.
IoC | Type | Notes |
|---|---|---|
8ea8b83645fba6e23d48075a0d3fc73ad2ba515b4536710cda4f1f232718f53e | sha256 | NSIS script |
77bfea78def679aa1117f569a35e8fd1542df21f7e00e27f192c907e61d63a2e | sha256 | Encrypted shellcode |
3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad | sha256 | Malicious sideloaded DLL |
0a9b8df968df41920b6ff07785cbfebe8bda29e6b512c94a3b2a83d10014d2fd | sha256 | Loader Variant |
e7cd605568c38bd6e0aba31045e1633205d0598c607a855e2e1bca4cca1c6eda | sha256 | Loader Variant |
b4169a831292e245ebdffedd5820584d73b129411546e7d3eccf4663d5fc5be3 | sha256 | Loader Variant |
fcc2765305bcd213b7558025b2039df2265c3e0b6401e4833123c461df2de51a | sha256 | Loader Variant |
8e6e505438c21f3d281e1cc257abdbf7223b7f5a | sha1 | NSIS installer |
573549869e84544e3ef253bdba79851dcde4963a | sha1 | NSIS installer |
d7ffd7b588880cf61b603346a3557e7cce648c93 | sha1 | NSIS installer |
6444dab57d93ce987c22da66b3706d5d7fc226da | sha1 | DLL |
2ab0758dda4e71aee6f4c8e4c0265a796518f07d | sha1 | DLL |
f7910d943a013eede24ac89d6388c1b98f8b3717 | sha1 | DLL |
defb05d5a91e4920c9e22de2d81c5dc9b95a9a7c | sha1 | ProShow.exe |
06a6a5a39193075734a32e0235bde0e979c27228 | sha1 | load |
bf996a709835c0c16cce1015e6d44fc95e08a38a | sha1 | script.exe |
ca4b6fe0c69472cd3d63b212eb805b7f65710d33 | sha1 | alien.ini |
821c0cafb2aab0f063ef7e313f64313fc81d46cd | sha1 | |
4c9aac447bf732acc97992290aa7a187b967ee2c | sha1 | |
90e677d7ff5844407b9c073e3b7e896e078e11cd | sha1 | |
api.skycloudcenter[.]com | hostname | C2 |
api.wiresguard[.]com | hostname | C2 |
cdncheck.it[.]com | hostname | C2 |
self-dns.it[.]com | hostname | C2 |
safe-dns.it[.]com | hostname | C2 |
59.110.7[.]32 | IP | C2 |
124.222.137[.]114 | IP | C2 |
45.76.155[.]202 | IP | Malware Host |
45.77.31[.]210 | IP | C2 |
45.32.144[.]255 | IP | C2 |
95.179.213[.]0 | IP | C2 |
Technical Details
The attack itself was limited in scope; a former hosting provider for Notepad++ had a server compromised sometime in June 2025, and the threat actors persisted access until December 2025. In that time the threat actor was selectively redirecting specific targeted users to trojaned, malicious update packages. The attack was narrow to a degree that analysis from Kaspersky indicates as few as a dozen individual machines were specifically targeted. Changes referenced in Notepad++’s patch notes indicate that this man-in-the-middle supply chain attack was possible because of a lack of signature verification in the updater programs and on update server XMLs returned to the client.
Notepad++ has changed hosting providers for their update infrastructure and fixed their update process to include more strict signing certificate checks.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.
