Notepad++ supply chain attack breakdown
Essential information
- Published
- 03/02/2026 12:08
- Modified
- 03/02/2026 16:33
- Tags
- 2026-02-03 chrysalis backdoor cobalt strike cobalt strike beacon dll sideloading metasploit mgbot notepad nsis shellcode supply-chain
- Related entities
- 36 observables, 12 techniques (mitre), 3 malware, 8 others
Description
The article details a sophisticated supply chain attack on Notepad++ that occurred from July to October 2025. Attackers compromised the update infrastructure, deploying various malicious payloads through three distinct infection chains. The attack targeted individuals and organizations in Vietnam, El Salvador, Australia, and the Philippines. The infection methods evolved over time, using NSIS installers, Metasploit downloaders, and Cobalt Strike Beacons. The attackers employed clever techniques to evade detection, including the abuse of legitimate software and the use of multiple C2 servers. The article provides a comprehensive timeline of the attack, describes the different execution chains, and offers guidance on detecting traces of the attack.