Unit 42 reveals new infrastructure associated with the Notepad++ attack. This expands understanding of threat actor operations and malware delivery.

Unit42 is a cybersecurity research team known for its  analysis of cyber threats, malware, and cyber attack trends. Through research reports, threat intelligence briefings, and data analysis, Unit42 offers insights into emerging cyber threats and adversary tactics. Readers can learn about threat detection methodologies, vulnerability trends, and cyber attack attribution to enhance their cybersecurity posture and protect their organizations from advanced cyber threats.

Unit 42

Between June and December 2025, nation-state actors compromised Notepad++'s hosting infrastructure to selectively deliver malware to government, telecom, and critical infrastructure targets across Southeast Asia, South America, the U.S., and Europe. The attackers exploited insufficient verification in the WinGUp updater to redirect traffic and serve malicious updates containing Cobalt Strike beacons and Chrysalis backdoors via DLL side-loading and Lua script injection. The campaign targeted system administrators and DevOps personnel to gain privileged access to core infrastructure. Notepad++ has since migrated to a more secure hosting provider and enhanced signature verification in version 8.8.9, with enforcement coming in version 8.9.2.

Nation-State Actors Exploit Notepad++ Supply Chain