The Notepad++ Supply Chain Attack — Unnoticed Execution Chains and New IoCs

    Wednesday, February 4, 2026 In: Threat Research Print

    Date: 02/04/2026

    Severity: High

    Summary

    The Notepad++ supply chain attack exploited a compromised update infrastructure to deliver malicious updates through multiple, constantly rotating execution chains, C2 servers, and payloads. The activity selectively targeted a small set of victims, including individuals in Vietnam, El Salvador, and Australia, a government organization in the Philippines, a financial organization in El Salvador, and an IT service provider in Vietnam, remaining largely unnoticed until analysis revealed new execution chains and previously unpublished IoCs affecting Notepad++ users.

    Indicators of Compromise (IOC) List 

    URLs/Domains

    http://45.76.155.202/update/update.exe

    http://45.32.144.255/update/update.exe

    http://95.179.213.0/update/update.exe

    http://95.179.213.0/update/install.exe

    http://95.179.213.0/update/AutoUpdater.exe

    http://45.76.155.202/list

    https://self-dns.it.com/list

    https://45.77.31.210/users/admin

    https://cdncheck.it.com/users/admin

    https://safe-dns.it.com/help/Get-Start

    https://45.77.31.210/api/update/v1

    https://45.77.31.210/api/FileUpload/submit

    https://cdncheck.it.com/api/update/v1

    https://cdncheck.it.com/api/Metadata/submit

    https://cdncheck.it.com/api/getInfo/v1

    https://cdncheck.it.com/api/FileUpload/submit

    https://safe-dns.it.com/resolve

    https://safe-dns.it.com/dns-query

    https://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821

    https://api.wiresguard.com/update/v1

    https://api.wiresguard.com/api/FileUpload/submit

    http://59.110.7.32:8880/uffhxpSy

    http://59.110.7.32:8880/api/getBasicInfo/v1

    http://59.110.7.32:8880/api/Metadata/submit

    http://124.222.137.114:9999/3yZR31VK

    http://124.222.137.114:9999/api/updateStatus/v1

    http://124.222.137.114:9999/api/Info/submit

    https://api.wiresguard.com/users/system

    https://api.wiresguard.com/api/getInfo/v1

    Hash

    8e6e505438c21f3d281e1cc257abdbf7223b7f5a

    90e677d7ff5844407b9c073e3b7e896e078e11cd

    573549869e84544e3ef253bdba79851dcde4963a

    13179c8f19fbf3d8473c49983a199e6cb4f318f0

    4c9aac447bf732acc97992290aa7a187b967ee2c

    821c0cafb2aab0f063ef7e313f64313fc81d46cd

    06a6a5a39193075734a32e0235bde0e979c27228

    9c3ba38890ed984a25abb6a094b5dbf052f22fa7

    ca4b6fe0c69472cd3d63b212eb805b7f65710d33

    0d0f315fd8cf408a483f8e2dd1e69422629ed9fd

    2a476cfb85fbf012fdbe63a37642c11afa5cf020

    d7ffd7b588880cf61b603346a3557e7cce648c93

    94dffa9de5b665dc51bc36e2693b8a3a0a4cc6b8

    21a942273c14e4b9d3faa58e4de1fd4d5014a1ed

    7e0790226ea461bcc9ecd4be3c315ace41e1c122

    f7910d943a013eede24ac89d6388c1b98f8b3717

    73d9d0139eaf89b7df34ceeb60e5f8c7cd2463bf

    bd4915b3597942d88f319740a9b803cc51585c4a

    c68d09dd50e357fd3de17a70b7724f8949441d77

    813ace987a61af909c053607635489ee984534f4

    9fbf2195dee991b1e5a727fd51391dcc2d7a4b16

    07d2a01e1dc94d59d5ca3bdf0c7848553ae91a51

    3090ecf034337857f786084fb14e63354e271c5d

    d0662eadbe5ba92acbd3485d8187112543bcfbf5

    9c0eff4deeb626730ad6a05c85eb138df48372ce

    File names

    %appdata%\ProShow\load

    %appdata%\Adobe\Scripts\alien.ini

    %appdata%\Bluetooth\BluetoothService

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "http://59.110.7.32:8880/api/getBasicInfo/v1" or siteurl like "http://59.110.7.32:8880/api/getBasicInfo/v1" or url like "http://59.110.7.32:8880/api/getBasicInfo/v1" or domainname like "https://cdncheck.it.com/api/update/v1" or siteurl like "https://cdncheck.it.com/api/update/v1" or url like "https://cdncheck.it.com/api/update/v1" or domainname like "https://safe-dns.it.com/dns-query" or siteurl like "https://safe-dns.it.com/dns-query" or url like "https://safe-dns.it.com/dns-query" or domainname like "https://45.77.31.210/api/update/v1" or siteurl like "https://45.77.31.210/api/update/v1" or url like "https://45.77.31.210/api/update/v1" or domainname like "https://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821" or siteurl like "https://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821" or url like "https://api.skycloudcenter.com/a/chat/s/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821" or domainname like "http://45.32.144.255/update/update.exe" or siteurl like "http://45.32.144.255/update/update.exe" or url like "http://45.32.144.255/update/update.exe" or domainname like "https://api.wiresguard.com/users/system" or siteurl like "https://api.wiresguard.com/users/system" or url like "https://api.wiresguard.com/users/system" or domainname like "http://124.222.137.114:9999/api/updateStatus/v1" or siteurl like "http://124.222.137.114:9999/api/updateStatus/v1" or url like "http://124.222.137.114:9999/api/updateStatus/v1" or domainname like "http://59.110.7.32:8880/api/Metadata/submit" or siteurl like "http://59.110.7.32:8880/api/Metadata/submit" or url like "http://59.110.7.32:8880/api/Metadata/submit" or domainname like "http://124.222.137.114:9999/api/Info/submit" or siteurl like "http://124.222.137.114:9999/api/Info/submit" or url like "http://124.222.137.114:9999/api/Info/submit" or domainname like "https://cdncheck.it.com/users/admin" or siteurl like "https://cdncheck.it.com/users/admin" or url like "https://cdncheck.it.com/users/admin" or domainname like "http://95.179.213.0/update/AutoUpdater.exe" or siteurl like "http://95.179.213.0/update/AutoUpdater.exe" or url like "http://95.179.213.0/update/AutoUpdater.exe" or domainname like "https://safe-dns.it.com/help/Get-Start" or siteurl like "https://safe-dns.it.com/help/Get-Start" or url like "https://safe-dns.it.com/help/Get-Start" or domainname like "http://95.179.213.0/update/install.exe" or siteurl like "http://95.179.213.0/update/install.exe" or url like "http://95.179.213.0/update/install.exe" or domainname like "https://api.wiresguard.com/api/FileUpload/submit" or siteurl like "https://api.wiresguard.com/api/FileUpload/submit" or url like "https://api.wiresguard.com/api/FileUpload/submit" or domainname like "https://45.77.31.210/users/admin" or siteurl like "https://45.77.31.210/users/admin" or url like "https://45.77.31.210/users/admin" or domainname like "https://cdncheck.it.com/api/Metadata/submit" or siteurl like "https://cdncheck.it.com/api/Metadata/submit" or url like "https://cdncheck.it.com/api/Metadata/submit" or domainname like "http://124.222.137.114:9999/3yZR31VK" or siteurl like "http://124.222.137.114:9999/3yZR31VK" or url like "http://124.222.137.114:9999/3yZR31VK" or domainname like "https://self-dns.it.com/list" or siteurl like "https://self-dns.it.com/list" or url like "https://self-dns.it.com/list" or domainname like "https://cdncheck.it.com/api/FileUpload/submit" or siteurl like "https://cdncheck.it.com/api/FileUpload/submit" or url like "https://cdncheck.it.com/api/FileUpload/submit" or domainname like "https://safe-dns.it.com/resolve" or siteurl like "https://safe-dns.it.com/resolve" or url like "https://safe-dns.it.com/resolve" or domainname like "http://45.76.155.202/update/update.exe" or siteurl like "http://45.76.155.202/update/update.exe" or url like "http://45.76.155.202/update/update.exe" or domainname like "http://45.76.155.202/list" or siteurl like "http://45.76.155.202/list" or url like "http://45.76.155.202/list" or domainname like "https://api.wiresguard.com/update/v1" or siteurl like "https://api.wiresguard.com/update/v1" or url like "https://api.wiresguard.com/update/v1" or domainname like "http://95.179.213.0/update/update.exe" or siteurl like "http://95.179.213.0/update/update.exe" or url like "http://95.179.213.0/update/update.exe" or domainname like "https://cdncheck.it.com/api/getInfo/v1" or siteurl like "https://cdncheck.it.com/api/getInfo/v1" or url like "https://cdncheck.it.com/api/getInfo/v1" or domainname like "https://45.77.31.210/api/FileUpload/submit" or siteurl like "https://45.77.31.210/api/FileUpload/submit" or url like "https://45.77.31.210/api/FileUpload/submit" or domainname like "http://59.110.7.32:8880/uffhxpSy" or siteurl like "http://59.110.7.32:8880/uffhxpSy" or url like "http://59.110.7.32:8880/uffhxpSy" or domainname like "https://api.wiresguard.com/api/getInfo/v1" or siteurl like "https://api.wiresguard.com/api/getInfo/v1" or url like "https://api.wiresguard.com/api/getInfo/v1"

    Detection Query 2 :

    sha1hash IN ("7e0790226ea461bcc9ecd4be3c315ace41e1c122","07d2a01e1dc94d59d5ca3bdf0c7848553ae91a51","f7910d943a013eede24ac89d6388c1b98f8b3717","94dffa9de5b665dc51bc36e2693b8a3a0a4cc6b8","d0662eadbe5ba92acbd3485d8187112543bcfbf5","c68d09dd50e357fd3de17a70b7724f8949441d77","3090ecf034337857f786084fb14e63354e271c5d","9fbf2195dee991b1e5a727fd51391dcc2d7a4b16","813ace987a61af909c053607635489ee984534f4","9c0eff4deeb626730ad6a05c85eb138df48372ce","d7ffd7b588880cf61b603346a3557e7cce648c93","bd4915b3597942d88f319740a9b803cc51585c4a","8e6e505438c21f3d281e1cc257abdbf7223b7f5a","90e677d7ff5844407b9c073e3b7e896e078e11cd","573549869e84544e3ef253bdba79851dcde4963a","13179c8f19fbf3d8473c49983a199e6cb4f318f0","4c9aac447bf732acc97992290aa7a187b967ee2c","821c0cafb2aab0f063ef7e313f64313fc81d46cd","06a6a5a39193075734a32e0235bde0e979c27228","9c3ba38890ed984a25abb6a094b5dbf052f22fa7","ca4b6fe0c69472cd3d63b212eb805b7f65710d33","0d0f315fd8cf408a483f8e2dd1e69422629ed9fd","2a476cfb85fbf012fdbe63a37642c11afa5cf020","21a942273c14e4b9d3faa58e4de1fd4d5014a1ed","73d9d0139eaf89b7df34ceeb60e5f8c7cd2463bf")

    Detection Query 3 :

    resourcename = "Windows Security" AND eventtype = "4663" AND objectname IN ("%appdata%\ProShow\load","%appdata%\Adobe\Scripts\alien.ini","%appdata%\Bluetooth\BluetoothService")

    Detection Query 4 :

    technologygroup = "EDR" AND objectname IN ("%appdata%\ProShow\load","%appdata%\Adobe\Scripts\alien.ini","%appdata%\Bluetooth\BluetoothService")

    Reference:

    https://securelist.com/notepad-supply-chain-attack/118708/


    Tags

    MalwareSupply chain attackExploitVietnamAustraliaPhilippinesGovernment Services and FacilitiesFinancial ServicesInformation Technology

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.