{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/notepad++/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","malware","notepad++"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Notepad++ updater, \u003ccode\u003egup.exe\u003c/code\u003e, is a component designed to automatically update the Notepad++ application. However, attackers can potentially exploit this updater to deliver malware or place unwarranted files on a system. This activity often begins with a compromised update server or a man-in-the-middle attack. Successful exploitation can lead to the installation of backdoors, credential access, and collection of sensitive information. The references provided highlight historical incidents involving the Notepad++ updater being abused in supply chain attacks. Defenders should monitor file creation events by \u003ccode\u003egup.exe\u003c/code\u003e outside of expected program directories and temporary update locations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user installs Notepad++ on their Windows system.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egup.exe\u003c/code\u003e updater component, located within the Notepad++ installation directory, is executed to check for updates.\u003c/li\u003e\n\u003cli\u003eThe updater connects to the Notepad++ update server to retrieve update information.\u003c/li\u003e\n\u003cli\u003eAn attacker compromises the update server or performs a man-in-the-middle attack.\u003c/li\u003e\n\u003cli\u003eThe compromised update server provides malicious instructions to \u003ccode\u003egup.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003egup.exe\u003c/code\u003e creates a malicious executable or script in an unexpected location, such as the user\u0026rsquo;s temporary directory outside of normal update procedures.\u003c/li\u003e\n\u003cli\u003eThe malicious file is executed, leading to further compromise such as installing a backdoor or stealing credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker gains initial access to the system and can perform collection and credential access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack exploiting the Notepad++ updater can lead to the installation of malware, such as backdoors, allowing attackers to gain persistent access to the compromised system. This can lead to data theft, credential compromise, and further lateral movement within the network. The number of potential victims depends on the scope of the compromised update server or the success of the man-in-the-middle attack. Historically, supply chain attacks targeting widely used software have impacted thousands of users.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Notepad++ Updater (gup.exe) Creates Uncommon Files\u0026rdquo; to your SIEM and tune for your environment. This rule detects file creation events by \u003ccode\u003egup.exe\u003c/code\u003e in suspicious locations (see rule configuration).\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003efile_event\u003c/code\u003e logs for unusual file creation events initiated by \u003ccode\u003egup.exe\u003c/code\u003e using the specified \u003ccode\u003elogsource\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect and prevent man-in-the-middle attacks against the Notepad++ update server.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T10:34:51Z","date_published":"2026-04-21T10:34:51Z","id":"/briefs/2026-06-notepadpp-updater-file-creation/","summary":"The Notepad++ updater (gup.exe) creating files in suspicious locations can indicate potential exploitation for malware delivery or unwarranted file placement, potentially leading to credential access and collection.","title":"Notepad++ Updater (gup.exe) Creates Uncommon Files","url":"https://feed.craftedsignal.io/briefs/2026-06-notepadpp-updater-file-creation/"}],"language":"en","title":"CraftedSignal Threat Feed — Notepad++","version":"https://jsonfeed.org/version/1.1"}