KASPERSKY’S GReAT analysis covers the Notepad++ supply chain attack, which the Notepad++ developers disclosed on 2 February 2026, stating the update infrastructure was compromised due to a hosting provider level incident from June to September 2025 with attackers retaining access to internal services until December 2025.
Over four months, from July to October 2025, attackers rotated C2 addresses, downloaders and final payloads across three distinct infection chains that targeted roughly a dozen machines, including individuals in Vietnam, El Salvador and Australia, a Philippines government organisation, a financial organisation in El Salvador and an IT service provider in Vietnam.
Chain #1 began with a malicious Notepad++ update in late July 2025 hosted at a specific update URL, where the updater’s NSIS installer dropped a ProShow-based second-stage payload and a Metasploit/Cobalt Strike flow emerged via long chains of URL requests and file drops.
Chain #2, observed in September 2025, reused the same update URL but delivered a larger NSIS installer that collected broader system information and dropped a different set of files in the Adobe Scripts folder to execute a Lua-based payload leading to a Metasploit downloader and Cobalt Strike beacon.
Chain #3 appeared in October 2025, shifting to a Bluetooth-related sideloading chain that used a mix of legitimate and malicious files, culminating in a Chrysalis backdoor in some cases, while Rapid7-linked indicators were noted for cross-referencing Beacon payloads.
The researchers emphasise that Notepad++’s update mechanism created a rare entry point for targeting high-profile organisations and that, despite three infection chains, more could appear, with recommendations to hunt for NSIS installers, temp[.]sh uploads, specific shell commands, and the IoCs catalogued in the report.