Notepad++ Updater DNS Query to Uncommon Domains

 1title: Notepad++ Updater DNS Query to Uncommon Domains
 2id: 2074e137-1b73-4e2d-88ba-5a3407dbdce0
 3status: experimental
 4description: |
 5    Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.
 6    This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.    
 7references:
 8    - https://notepad-plus-plus.org/news/v889-released/
 9    - https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
10    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
11    - https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
12    - https://securelist.com/notepad-supply-chain-attack/118708/
13author: Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2026-02-02
15modified: 2026-03-16
16tags:
17    - attack.collection
18    - attack.credential-access
19    - attack.t1195.002
20    - attack.initial-access
21    - attack.t1557
22logsource:
23    category: dns_query
24    product: windows
25detection:
26    selection:
27        Image|endswith: '\gup.exe'
28    filter_main_notepad_legit_domain:
29        QueryName: 'notepad-plus-plus.org'
30    filter_optional_sourceforge_legit_domain:
31        QueryName|endswith: '.sourceforge.net'
32    filter_optional_github_legit_domain:
33        - QueryName|endswith: '.githubusercontent.com'
34        - QueryName: 'github.com'
35    filter_optional_google_storage_legit_domain:
36        QueryName|endswith: '.googleapis.com'
37    filter_optional_uncommon_domains:
38        QueryName|endswith:
39            - '.azurewebsites.net'
40            - 'block.opendns.com'
41            - 'gateway.zscalerthree.net'
42    # Add other known legitimate domains if any
43    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
44falsepositives:
45    - Some legitimate network misconfigurations or proxy issues causing unexpected DNS queries.
46    - Other legitimate query to official domains not listed in the filter, needing tuning.
47level: medium # can be upgraded to high after tuning with known legitimate DNS queries

References

• https://notepad-plus-plus.org/news/v889-released/

  
  Read More

• https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html

  
  Read More

• https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/

  
  Read More

• https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/

  
  Read More

• https://securelist.com/notepad-supply-chain-attack/118708/

  
  Read More

Related rules

• Uncommon File Created by Notepad++ Updater Gup.EXE
• Suspicious Child Process of Notepad++ Updater - GUP.Exe
• Cisco BGP Authentication Failures
• Cisco LDP Authentication Failures
• Huawei BGP Authentication Failures