Uncommon File Created by Notepad++ Updater Gup.EXE

 1title: Uncommon File Created by Notepad++ Updater Gup.EXE
 2id: 3b8f4c92-6a51-4d7e-9c3a-8e2d1f5a7b09
 3status: experimental
 4description: |
 5    Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
 6    This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.    
 7references:
 8    - https://notepad-plus-plus.org/news/v889-released/
 9    - https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
10    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
11    - https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
12    - https://securelist.com/notepad-supply-chain-attack/118708/
13author: Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2026-02-03
15tags:
16    - attack.collection
17    - attack.credential-access
18    - attack.t1195.002
19    - attack.initial-access
20    - attack.t1557
21logsource:
22    category: file_event
23    product: windows
24detection:
25    selection:
26        Image|endswith: '\gup.exe'
27    filter_main_legit_paths:
28        TargetFilename|startswith:
29            - 'C:\Program Files\Notepad++\'
30            - 'C:\Program Files (x86)\Notepad++\'
31    filter_main_temp_update_installer:
32        TargetFilename|startswith: 'C:\Users\'
33        TargetFilename|contains|all:
34            - '\AppData\Local\Temp\'
35            - 'npp.'
36            - '.Installer.'
37            - '.exe'
38    filter_main_temp_generic_zip:
39        TargetFilename|startswith: 'C:\Users\'
40        TargetFilename|contains|all:
41            - '\AppData\Local\Temp\'
42            - '.zip'
43    filter_main_recycle_bin:
44        TargetFilename|startswith: 'C:\$Recycle.Bin\S-1-5-21'
45    condition: selection and not 1 of filter_main_*
46falsepositives:
47    - Custom or portable Notepad++ installations in non-standard directories.
48    - Legitimate update processes creating temporary files in unexpected locations.
49level: high

References

• Notepad++ v8.8.9 release: Vulnerability-fix | Notepad++

  

  Notepad++ v8.8.9 release: Vulnerability-fix 2025-12-09 Some security experts recently reported incidents of traffic hijacking affecting Notepad++. According to the investigation, traffic from WinGU...

  
  Read More

• Notepad++ updater installed malware

  

  The updater for the open-source editor Notepad++ has installed malware on PCs. An update to Notepad++ v8.8.9 corrects this.

  
  Read More

• The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit

  

  Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom.

  
  Read More

• Exploring the C2 Infrastructure of the Notepad++ Compromise | Validin

  

  How to find additional network infrastructure related to the Notepad++ Compromise

  
  Read More

• The Notepad++ supply chain attack — unnoticed execution chains and new IoCs

  

  Kaspersky GReAT experts discovered previously undocumented infection chains used in the Notepad++ supply chain attacks. The article provides new IoCs related to those incidents which employ DLL sideloading and Cobalt Strike Beacon delivery.

  
  Read More

Related rules

• Notepad++ Updater DNS Query to Uncommon Domains
• Suspicious Child Process of Notepad++ Updater - GUP.Exe
• Cisco BGP Authentication Failures
• Cisco LDP Authentication Failures
• Huawei BGP Authentication Failures