Impacted boxes have things like FatBeehive and other tools installed, there’s hunting guides in that blog.
Notepad++ author really good btw, quick turn around.
Discussion
Loading...
Also, long time followers may remember this one playing out in real time over the last few weeks - I just tooted about it in Follower mode to stop threat intel companies scraping the toots 🤣
And yes, this was (and is) a supply chain attack - just everybody was too busy wacking off about GenAI and react2shell to notice.
Since making this thread yesterday the infrastructure appears to have gone AWOL and they've nuked the DNS entries on the C2s etc etc. They had access to a bunch of orgs for 5 months, if anybody interested.
I consulted the official #GAYINT threat actor mapping chart and made this diagram for Notepad++ hack attribution
Notepad++ have today confirmed their auto process was compromised by Chinese nation state threat actors, in a supply chain hack: https://notepad-plus-plus.org/news/hijacked-incident-info-update/
This backs up my blog from late last year, with #GAYINT threat actor mapping to Funky Stamen.
The infrastructure and update mechanisms have since been tightened. For what it’s worth - entry was to telcos and financial services with interests aligned to China. Notepad++ dev did a great job treating issue seriously.
Here’s my original blog with threat hunting suggestions: https://doublepulsar.com/small-numbers-of-notepad-users-reporting-security-woes-371d7a3fd2d9
Of note - the cyber industry entirely slept through it. A cartoon porg with #GAYINT threat intelligence had to blow it up.
~2 more replies (not shown)
IOCs for Notepad++ auto update compromise. I have some more I’ll publish later.
You may notice I’d tagged the IOCs on VirusTotal as malicious months ago. https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
Kaspersky have more new IOCs for the Notepad++ activity. It’s actually different activity clusters they identitied.
They’ve got most of the IOCs I’d found now although more to come.
A fun one about the Notepad++ incident is, although my toots about it auto deleted (I have my toots set to auto delete unless I bookmark them), it was first revealed on the Fediverse in followers only mode a few months ago - I had a thread running for it back then.
When in follower only mode, the C2 infrastructure was still up so I was still able to track it - they only burnt it down when I wrote the blog. So follow me to see nation state espionage get live tooted, I guess.