Skip to main content

Kaspersky GReAT uncovers hidden attack chains in Notepad++ supply chain compromise

3 February 2026

Kaspersky Global Research and Analysis Team (GReAT) researchers have discovered that attackers behind the Notepad++ supply chain compromise targeted a government organization in the Philippines, a financial institution in El Salvador, an IT service provider in Vietnam and individuals across three countries using at least three distinct infection chains — two of which remain unknown to the public.

The attackers completely overhauled their malware, command-and-control infrastructure and delivery methods roughly every month between July and October 2025. The single attack chain publicly documented to date represents only the final phase of a much longer and more sophisticated campaign.

The Notepad++ developers disclosed on Feb. 2, 2026, that their update infrastructure had been compromised due to a hosting provider incident. Previous public reporting focused exclusively on malware observed in October 2025, leaving organizations unaware of the entirely different indicators of compromise used from July through September.

Each chain used different malicious IP addresses, domain names, execution methods and payloads. Organizations that scanned only for the October indicators may have missed earlier infections entirely. Kaspersky solutions blocked all identified attacks as they occurred.

"Defenders who checked their systems against the publicly known IoCs and found nothing should not assume they're in the clear," said Georgy Kucherin, senior security researcher at Kaspersky GReAT. "The July-September infrastructure was completely different — different IPs, different domains, different file hashes. And given how frequently these attackers rotated their tooling, we cannot rule out the existence of additional, as-yet-undiscovered chains."

Kaspersky GReAT has published the full list of indicators of compromise, including six malicious updater hashes, 14 C2 URLs and eight malicious file hashes not previously reported. The complete IoC list and technical analysis are available at Securelist

About the Global Research & Analysis Team
Established in 2008, Global Research & Analysis Team (GReAT) operates at the very heart of Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware, ransomware and underground cyber-criminal trends across the world. Today GReAT consists of 35+ experts working globally – in Europe, Russia, Latin America, Asia and the Middle East. Talented security professionals provide company leadership in anti-malware research and innovation, bringing unrivaled expertise, passion and curiosity to the discovery and analysis of cyberthreats. 

Kaspersky GReAT uncovers hidden attack chains in Notepad++ supply chain compromise

Kaspersky Global Research and Analysis Team (GReAT) researchers have discovered that attackers behind the Notepad++ supply chain compromise targeted a government organization in the Philippines, a financial institution in El Salvador, an IT service provider in Vietnam and individuals across three countries using at least three distinct infection chains — two of which remain unknown to the public.
Kaspersky logo

About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect individuals, businesses, critical infrastructure, and governments around the globe. The company’s comprehensive security portfolio includes leading digital life protection for personal devices, specialized security products and services for companies, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help millions of individuals and nearly 200,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.

Related Articles Press Releases