Notepad++ Updater DNS Query to Uncommon Domains

 1title: Notepad++ Updater DNS Query to Uncommon Domains
 2id: 2074e137-1b73-4e2d-88ba-5a3407dbdce0
 3status: experimental
 4description: |
 5    Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.
 6    This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.    
 7references:
 8    - https://notepad-plus-plus.org/news/v889-released/
 9    - https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
10    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
11    - https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
12    - https://securelist.com/notepad-supply-chain-attack/118708/
13author: Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2026-02-02
15tags:
16    - attack.collection
17    - attack.credential-access
18    - attack.t1195.002
19    - attack.initial-access
20    - attack.t1557
21logsource:
22    category: dns_query
23    product: windows
24detection:
25    selection:
26        Image|endswith: '\gup.exe'
27    filter_main_notepad_legit_domain:
28        QueryName: 'notepad-plus-plus.org'
29    filter_optional_sourceforge_legit_domain:
30        QueryName|endswith: '.sourceforge.net'
31    filter_optional_github_legit_domain:
32        - QueryName|endswith: '.githubusercontent.com'
33        - QueryName: 'github.com'
34    filter_optional_google_storage_legit_domain:
35        QueryName|endswith: '.googleapis.com'
36    # Add other known legitimate domains if any
37    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
38falsepositives:
39    - Some legitimate network misconfigurations or proxy issues causing unexpected DNS queries.
40    - Other legitimate query to official domains not listed in the filter, needing tuning.
41level: medium # can be upgraded to high after tuning with known legitimate DNS queries

References

• Notepad++ v8.8.9 release: Vulnerability-fix | Notepad++

  

  Notepad++ v8.8.9 release: Vulnerability-fix 2025-12-09 Some security experts recently reported incidents of traffic hijacking affecting Notepad++. According to the investigation, traffic from WinGU...

  
  Read More

• Notepad++ updater installed malware

  

  The updater for the open-source editor Notepad++ has installed malware on PCs. An update to Notepad++ v8.8.9 corrects this.

  
  Read More

• The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit

  

  Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom.

  
  Read More

• Exploring the C2 Infrastructure of the Notepad++ Compromise | Validin

  

  How to find additional network infrastructure related to the Notepad++ Compromise

  
  Read More

• The Notepad++ supply chain attack — unnoticed execution chains and new IoCs

  

  Kaspersky GReAT experts discovered previously undocumented infection chains used in the Notepad++ supply chain attacks. The article provides new IoCs related to those incidents which employ DLL sideloading and Cobalt Strike Beacon delivery.

  
  Read More

Related rules

• Suspicious Child Process of Notepad++ Updater - GUP.Exe
• Uncommon File Created by Notepad++ Updater Gup.EXE
• Cisco BGP Authentication Failures
• Cisco LDP Authentication Failures
• Huawei BGP Authentication Failures