Uncommon File Created by Notepad++ Updater Gup.EXE

calendar Apr 21, 2026 · attack.collection attack.credential-access attack.t1195.002 attack.initial-access attack.t1557  ·
Share on: linkedin copy

Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations. This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.

Sigma rule (View on GitHub)

 1title: Uncommon File Created by Notepad++ Updater Gup.EXE
 2id: 3b8f4c92-6a51-4d7e-9c3a-8e2d1f5a7b09
 3status: experimental
 4description: |
 5    Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
 6    This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.    
 7references:
 8    - https://notepad-plus-plus.org/news/v889-released/
 9    - https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
10    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
11    - https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
12    - https://securelist.com/notepad-supply-chain-attack/118708/
13author: Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2026-02-03
15modified: 2026-03-16
16tags:
17    - attack.collection
18    - attack.credential-access
19    - attack.t1195.002
20    - attack.initial-access
21    - attack.t1557
22logsource:
23    category: file_event
24    product: windows
25detection:
26    selection:
27        Image|endswith: '\gup.exe'
28    filter_main_legit_paths:
29        TargetFilename|startswith:
30            - 'C:\Program Files\Notepad++\'
31            - 'C:\Program Files (x86)\Notepad++\'
32    filter_main_temp_update_installer:
33        TargetFilename|startswith: 'C:\Users\'
34        TargetFilename|contains|all:
35            - '\AppData\Local\Temp\'
36            - 'npp.'
37            - '.Installer.'
38            - '.exe'
39    filter_main_temp_generic_zip:
40        TargetFilename|startswith: 'C:\Users\'
41        TargetFilename|contains|all:
42            - '\AppData\Local\Temp\'
43            - '.zip'
44    filter_main_recycle_bin:
45        TargetFilename|startswith: 'C:\$Recycle.Bin\S-1-5-21'
46    filter_main_plugins:
47        - TargetFilename|contains:
48              - '\plugins\JsonTools\testfiles\'
49              - '\Notepad++\plugins\ComparePlugin\'
50        - TargetFilename|contains|all:
51              - 'npp.'
52              - '.portable.'
53              - '\plugins\'
54    condition: selection and not 1 of filter_main_*
55falsepositives:
56    - Custom or portable Notepad++ installations in non-standard directories.
57    - Legitimate update processes creating temporary files in unexpected locations.
58level: high

References

Related rules

to-top