A PowerShell-based Indicators of Compromise (IOC) scanner for detecting the Notepad++ supply chain attack that occurred between June-December 2025.
ooooo ooo . oooooooooo. .o. oooooooooo.
`888b. `8' .o8 `888' `Y8b .888. `888' `Y8b
8 `88b. 8 .ooooo. .o888oo .ooooo. 888 888 .8"888. 888 888 88 88
8 `88b. 8 d88' `88b 888 d88' `88b 888oooo888' .8' `888. 888 888 88 88
8 `88b.8 888 888 888 888ooo888 888 `88b .88ooo8888. 888 888 8888888888 8888888888
8 `888 888 888 888 . 888 .o 888 .88P .8' `888. 888 d88' 88 88
o8o `8 `Y8bod8P' "888" `Y8bod8P' o888bood8P' o88o o8888o o888bood8P' 88 88
Notepad++ Supply Chain Attack IOC Scanner
USE AT YOUR OWN RISK
THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
By using this script, you acknowledge and agree that:
- The author(s) are NOT responsible for any damage, data loss, system instability, or any other negative consequences that may result from running this script
- This tool is provided for educational and defensive security purposes only
- You are solely responsible for reviewing the code before execution and understanding what it does
- You should test this script in a non-production environment before running it on critical systems
- This script requires Administrator privileges and accesses sensitive system areas (registry, services, event logs, etc.)
- False positives may occur - findings should be verified manually before taking remediation actions
- The IOC data is based on publicly available threat intelligence and may not be complete or up-to-date
If you do not agree with these terms, do not use this software.
In February 2026, Kaspersky's Global Research and Analysis Team (GReAT) published research detailing a sophisticated supply chain attack targeting Notepad++ users. The attack exploited the GUP (Generic Updater Platform) auto-update mechanism to deliver malware to targeted victims.
- June 2025: Attack campaign begins
- December 2025: Attack campaign ends
- February 2026: Public disclosure by Kaspersky
This was a highly targeted attack affecting approximately 12 machines globally, primarily:
- Government organizations
- Financial institutions
- Regions: Vietnam, Philippines, El Salvador, Australia
- Attacker compromises Notepad++ update infrastructure
- Malicious update delivered via GUP.exe (auto-updater)
- Dropper installs persistence mechanisms
- Cobalt Strike / Chrysalis backdoor deployed
- Data exfiltration via temp.sh and other C2 channels
This scanner performs 22 comprehensive security checks:
| Check | Description |
|---|---|
| Quick Triage | Risk assessment based on N++ installation and version |
| Suspicious Directories | Scans for known malware staging directories |
| Suspicious Files | Checks for specific malicious file artifacts |
| SHA-1 Hash Verification | Compares SHA-1 hashes against 28 known IOCs (Kaspersky) |
| SHA-256 Hash Scan | Compares SHA-256 hashes against 16 Rapid7 Chrysalis IOCs |
| Registry Autorun | Checks Run/RunOnce persistence mechanisms |
| Malicious Services | Detects suspicious Windows services |
| Scheduled Tasks | Checks for malicious scheduled task persistence |
| DNS Cache | Searches for malicious C2 domains |
| Hosts File | Checks for C2 domain entries in hosts file |
| TCP Connections | Detects live TCP connections to known malicious IPs |
| Netstat Scan | Broader protocol scan for C2 IPs |
| DNS Event Logs | Reviews DNS resolution history |
| Firewall Logs | Analyzes Windows Firewall logs |
| Sysmon DNS Logs | Checks Sysmon Event ID 22 (if installed) |
| Running Processes | Identifies suspicious running processes |
| Command History | Searches for attack command patterns |
| N++ Security Log | Checks for update verification failures |
| Downloads Folder | Scans for suspicious executables |
| Temp Folder | Analyzes NSIS installer remnants |
| Event Viewer | Checks process creation and PowerShell logs |
| N++ Installation | Deep analysis with integrity verification |
- Windows 10/11 or Windows Server 2016+
- PowerShell 5.1 or later
- Administrator privileges (required)
- Optional: Sysmon installed for enhanced DNS query logging
git clone https://github.com/maremmano/notebadpp.git
cd notebadppInvoke-WebRequest -Uri "https://raw.githubusercontent.com/maremmano/notebadpp/main/notebadpp.ps1" -OutFile "notebadpp.ps1"# Open PowerShell as Administrator
# Navigate to the script directory
# If needed, temporarily allow script execution
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process
# Run the scanner
.\notebadpp.ps1.\notebadpp.ps1 -ExportResultsResults will be saved to your Desktop as NotepadPP_IOC_Report_<timestamp>.txt
.\notebadpp.ps1 -ExportResults -OutputPath "C:\SecurityReports\npp_scan.txt"Extends SHA-256 scanning to Downloads, Temp, and ProgramData directories:
.\notebadpp.ps1 -DeepHashScan.\notebadpp.ps1 -NoColor | Out-File scan_results.txt.\notebadpp.ps1 -DeepHashScan -ExportResults -NoColorThe script returns the number of findings as the exit code (useful for CI/automation):
0= No indicators of compromise foundN= N alerts detected
- Red
[!]- Finding detected (potential IOC) - Green
[OK]- Check passed (clean) - Cyan
[*]- Informational message - Yellow - Section headers
- HIGH - Strong indicator of compromise, immediate action recommended
- MEDIUM - Suspicious finding, warrants investigation
cdncheck.it/cdncheck.it.comself-dns.it/self-dns.it.comsafe-dns.it/safe-dns.it.comapi.wiresguard.com/wiresguard.comapi.skycloudcenter.com/skycloudcenter.comtemp.sh
45.76.155.20245.77.31.21045.32.144.25595.179.213.059.110.7.32124.222.137.11461.4.102.97
%APPDATA%\ProShow%APPDATA%\Adobe\Scripts%APPDATA%\Bluetooth
ProShow.exe,load,defscr,if.dntalien.dll,alien.ini,script.exeBluetoothService.exe,log.dll
If the scanner reports findings:
- DISCONNECT from the network immediately
- DO NOT delete files - preserve evidence
- Take screenshots of all findings
- Run a full antivirus scan (Windows Defender, Kaspersky, Malwarebytes)
- Consider Microsoft Defender Offline Scan
- If corporate machine: Contact IT Security immediately
- Assume credentials are compromised - prepare to change all passwords
- REIMAGE the machine - cleaning is not reliable for this threat
- After rebuild: Install Notepad++ v8.8.9+ from official site only
- Consider professional incident response for sensitive environments
- Attackers may have cleaned up artifacts
- Some logs may have rotated or been cleared
- Network-level IOCs require router/firewall log review
- Cannot detect all variants or future modifications
- False positives are possible
- Update Notepad++ to version 8.8.9 or later
- Download ONLY from official site: https://notepad-plus-plus.org/downloads/
- Verify file integrity via Help > About (compare hash to GitHub releases)
- Consider using the portable version (no auto-updater)
- Enable DNS logging and Sysmon for better visibility
- Review router/firewall logs for connections to known malicious domains
- Kaspersky GReAT Research - February 2026 (when available)
- Rapid7 Labs - The Chrysalis Backdoor
- Notepad++ Official Downloads
- Notepad++ GitHub Releases
- CISA Incident Reporting
Contributions are welcome! If you have additional IOCs, improvements, or bug fixes:
- Fork the repository
- Create a feature branch
- Submit a pull request
This project is licensed under the MIT License - see below:
MIT License
Copyright (c) 2026
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Created for the security community to help identify potential victims of the Notepad++ supply chain attack.
Remember: When in doubt, reimage. No scanner can guarantee 100% detection of sophisticated threats.
