{
	"id": "13c6fc75-7b01-4a51-ace9-a34fa24b34aa",
	"created_at": "2026-04-06T01:32:37.37913Z",
	"updated_at": "2026-04-10T03:29:28.361204Z",
	"deleted_at": null,
	"sha1_hash": "8e9db5637d1cd1c3660e298db15abfa2833abe44",
	"title": "THREAT ANALYSIS REPORT: Abusing Notepad++ Plugins for Evasion and Persistence",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 590662,
	"plain_text": "THREAT ANALYSIS REPORT: Abusing Notepad++ Plugins for\r\nEvasion and Persistence\r\nBy Cybereason Global SOC Team\r\nArchived: 2026-04-06 00:14:03 UTC\r\nCybereason GSOC team analysts have analyzed a specific technique that leverages Notepad++ plugins to persist\r\nand evade security mechanisms on a machine. Following this introduction, we describe in detail how to reproduce\r\nthis attack and implement detection and prevention mechanisms.\r\nThis particular Threat Analysis report is part of a series named “Purple Team Series” covering widely used attack\r\ntechniques, how threat actors are leveraging them and how to detect their use.\r\nThe Cybereason Global Security Operations Center (GSOC) Team issues Threat Analysis Reports to inform on\r\nimpacting threats. The Threat Analysis Reports investigate these threats and provide practical recommendations\r\nfor protecting against them.\r\nThe Threat Analysis reports investigate these threats and provide practical recommendations for protecting against\r\nthem.\r\nKey Points\r\nPopularity Can Lead to Increased Attack Surface: Notepad++ is an extremely popular tool that is\r\ninstalled in almost every IT-related environment \r\nThreat Actors Have Already Abused Notepad++: APT groups, like StrongPity, have been observed\r\nleveraging Notepad++ to deploy backdoors on their victims’ machine \r\nAdvanced Plugin Feature: Notepad++ has an advanced plugin mechanism that can be leveraged by threat\r\nactors for persistence and security evasion\r\nAbsence of Verification Process in Notepad++: No verification process has been observed for locally\r\ninstalled plugins, allowing threat actors with local administrator privileges to inject their own malicious\r\nDLL in the loading process\r\nDetected and Prevented by Cybereason MDR (Managed Detection and Response): The Cybereason\r\nDefense Platform effectively detects and prevents infections from malware loaded in a malicious\r\nNotepad++ plugin\r\nIntroduction\r\nNotepad++ is a very popular Notepad replacement and code editor created and maintained by Don Ho. This\r\napplication supports multiple coding languages as well as plugins that automate a number of IT and development\r\nrelated tasks. \r\nhttps://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence\r\nPage 1 of 9\n\nPlugins are simply modules that can be installed from the approved list that is maintained by the community or\r\ncustom built using languages such as C#. These plugins are stored in the\r\n%PROGRAMFILES%\\Notepad++\\plugins\\ directory. \r\nUsing an open-source project, Notepad++ Plugin Pack, a security researcher that goes by the name RastaMouse\r\nwas able to demonstrate how to build a malicious plugin that can be used as a persistence mechanism. The plugin\r\npack is a .NET package for Visual Studio that provides a basic template for building plugins:\r\nNotepad++ Plugin Pack Template\r\nThreat actors can use this technique to circumvent security mechanisms and achieve persistence on their victim\r\nmachine.\r\nThe APT group StrongPity is known to leverage a legitimate Notepad++ installer accompanied with malicious\r\nexecutables, allowing it to persist after a reboot on a machine. This backdoor enables this threat actor to install a\r\nkeylogger on the machine and communicate with a C2 server to send the output of this software.\r\nThe StrongPity APT group (also known as APT-C-41 and PROMETHIUM) was first observed in 2012 and\r\nemploys the same tactics as the one described above, namely adding backdoors to legitimate software used by\r\nspecific users:\r\nTechnical Analysis\r\nIn this section, we analyzed Notepad++ plugin loading mechanism and drafted an attack scenario based on this\r\nvector.  You can find a video of the attack scenario, available below: \r\nhttps://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence\r\nPage 2 of 9\n\nAttack Scenario\r\nThe SCI_ADDTEXT API can be abused to trigger a custom Notepad++ command when a key is typed inside of\r\nNotepad++. Using C#, we created a DLL that will run a PowerShell command on the first, initial press of any key\r\ninside of Notepad++. \r\nIn our attack scenario, the PowerShell command will execute a Meterpreter payload. We set this to only run once\r\nto ensure our C2’s availability would not be affected due to multiple connection attempts:\r\nPowerShell command embedded in malicious DLL\r\n* Note - Our Meterpreter shell will inherit the permissions of the user who launched Notepad++. In the event the\r\nvictim opens the application as an administrator, (ex - they are making changes to the Host file) our shell will\r\nhave those same privileges. \r\nUsing local administrator privileges, we dropped the compiled DLL into the appropriate folder:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence\r\nPage 3 of 9\n\nMalicious DLL dropped into the plugin directory\r\nPowerShell Execution\r\nAs expected, when Notepad++ loaded and a single letter was typed, PowerShell executed and our Meterpreter\r\nsession was established:\r\n(Victim’s view) PowerShell executing the configured malicious payload once a key was typed\r\n(Attacker’s view) Established Meterpreter session\r\nhttps://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence\r\nPage 4 of 9\n\n(Attacker’s view) Shell commands from Meterpreter session\r\nPrivilege Escalation\r\nTo test for and demonstrate the behavior difference with the inherited permissions, we attempted to run the\r\nGetSystem module in our Meterpreter session that was executed as a regular user:\r\n (Attacker’s view) Privilege escalation attempt failed under regular user permissions\r\nNext, we ran Notepad++ as ‘administrator’ and re-ran the payload. We were able to escalate to SYSTEM this time\r\nthrough the GetSystem module:\r\n(Attacker’s view) Successfully escalated to SYSTEM\r\nDetection and Prevention\r\nDetection and Hunting Capabilities\r\nhttps://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence\r\nPage 5 of 9\n\nA MalOp was created due to the Meterpreter payload. When we ran the ‘shell’ module in Metasploit, it created a\r\nchild process of cmd.exe with additional child processes created for whoami.exe and calc.exe. Network\r\nconnections from PowerShell to our command and control server are visible as well:\r\n(Defender’s view) Process tree as seen in the Cybereason Defense Platform - Our loaded module created child\r\nprocess of PowerShell.exe\r\nWhen searching for the loaded modules in the notepad++.exe process, we are able to identify the malicious DLL\r\nthat was loaded:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence\r\nPage 6 of 9\n\n(Defender’s view) Searching for loaded malicious\r\nmodule by name\r\nNo other useful file metadata or indicators were observed that could help detect this attack. \r\nStatic Analysis And Reverse Engineering\r\nStatic analysis tools were able to pull indicators such as compile time, architecture, and programming language\r\nused to build the binary:\r\nCompilation timestamp\r\n64-bit architecture\r\nMicrosoft .NET executable written in C#\r\nAs this is a C#/.NET binary, standard static analysis tools that would be used for C/C++ binaries will be unable to\r\npull references to the functions used specific to the plugin pack or the embedded PowerShell command. C#/.NET\r\nbinaries compile down to what is called Microsoft Intermediate Language (MSIL). \r\nThe metadata contained inside the code allows us to decompile this executable using DNSpy. We were able to\r\ndecompile the binary almost completely back to source, allowing us to extract Indicators of Compromise (IOCs)\r\nsuch as the Command \u0026 Control (C2) IP addresses inside of the Base64 encoded PowerShell command:\r\nhttps://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence\r\nPage 7 of 9\n\nDecompiled source code\r\nPowerShell command after decoding the Base64 in Cyberchef\r\nCybereason GSOC MDR\r\nThe Cybereason GSOC recommends the following:\r\nEnable the Anti-Malware feature on the Cybereason NGAV and enable the Detect and Prevent modes of\r\nthis feature.\r\nIdentify legitimate Notepad++ plugins for your organization in order to be able to exclude them from the\r\ndetection\r\nMonitor for any new files created in the %PROGRAMFILES%\\Notepad++\\plugins\\ directory that deviate\r\nfrom your accepted baseline, for instance through file events collected by sensors and reported in the\r\nCybereason Defense Platform\r\nMonitor unusual child processes of Notepad++ and pay special attention to shell product types\r\nCybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to\r\neverywhere. Schedule a demo today to learn how your organization can benefit from an operation-centric\r\napproach to security.\r\nIndicators Of Compromise For Notepad++ Malicious Pugins\r\nExecutables\r\nNpp_Persistence_Plugin.dll - SHA256:\r\n90BC7FA90705148D8FFEEF9C3D55F349611905D3F7A4AD17B956CD7EE7A208AF\r\nhttps://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence\r\nPage 8 of 9\n\nAbout The Researchers \r\nDerrick Masters, Principal Security Analyst, Cybereason Global SOC\r\nDerrick Masters is a Senior Security Analyst with the Cybereason Global SOC team. He is involved with threat\r\nhunting and purple teaming. Derrick's professional certifications include GCFA, GCDA, GPEN, GPYC, and\r\nGSEC. \r\nLoïc Castel, Principal Security Analyst, Cybereason Global SOC\r\nLoïc Castel is a Principal Security Analyst with the Cybereason Global SOC team. Loïc analyses and researches\r\ncritical incidents and cybercriminals, in order to better detect compromises. In his career, Loïc worked as a\r\nsecurity auditor in well-known organizations such as ANSSI (French National Agency for the Security of\r\nInformation Systems) and as Lead Digital Forensics \u0026 Incident Response at Atos. Loïc loves digital forensics and\r\nincident response, but is also interested in offensive aspects such as vulnerability research.\r\nSource: https://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence\r\nhttps://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence"
	],
	"report_names": [
		"threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "67fbc7d7-ba8e-4258-b53c-9a5d755e1960",
			"created_at": "2022-10-25T16:07:24.077859Z",
			"updated_at": "2026-04-10T02:00:04.860725Z",
			"deleted_at": null,
			"main_name": "Promethium",
			"aliases": [
				"APT-C-41",
				"G0056",
				"Magenta Dust",
				"Promethium",
				"StrongPity"
			],
			"source_name": "ETDA:Promethium",
			"tools": [
				"StrongPity",
				"StrongPity2",
				"StrongPity3",
				"Truvasys"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "cbede712-4cc3-47c6-bf78-92fd9f1beac6",
			"created_at": "2022-10-25T15:50:23.777222Z",
			"updated_at": "2026-04-10T02:00:05.399303Z",
			"deleted_at": null,
			"main_name": "PROMETHIUM",
			"aliases": [
				"PROMETHIUM",
				"StrongPity"
			],
			"source_name": "MITRE:PROMETHIUM",
			"tools": [
				"Truvasys",
				"StrongPity"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "4660477f-333f-4a18-b49b-0b4d7c66d482",
			"created_at": "2023-01-06T13:46:38.511962Z",
			"updated_at": "2026-04-10T02:00:03.007466Z",
			"deleted_at": null,
			"main_name": "PROMETHIUM",
			"aliases": [
				"StrongPity",
				"G0056"
			],
			"source_name": "MISPGALAXY:PROMETHIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439157,
	"ts_updated_at": 1775791768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8e9db5637d1cd1c3660e298db15abfa2833abe44.pdf",
		"text": "https://archive.orkl.eu/8e9db5637d1cd1c3660e298db15abfa2833abe44.txt",
		"img": "https://archive.orkl.eu/8e9db5637d1cd1c3660e298db15abfa2833abe44.jpg"
	}
}