Suspicious Child Process of Notepad++ Updater - GUP.Exe

 1title: Suspicious Child Process of Notepad++ Updater - GUP.Exe
 2id: bb0e87ce-c89f-4857-84fa-095e4483e9cb
 3status: experimental
 4description: |
 5    Detects suspicious child process creation by the Notepad++ updater process (gup.exe).
 6    This could indicate potential exploitation of the updater component to deliver unwanted malware.    
 7references:
 8    - https://notepad-plus-plus.org/news/v889-released/
 9    - https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
10    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
11    - https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
12    - https://securelist.com/notepad-supply-chain-attack/118708/
13author: Swachchhanda Shrawan Poudel (Nextron Systems)
14date: 2026-02-03
15tags:
16    - attack.collection
17    - attack.credential-access
18    - attack.t1195.002
19    - attack.initial-access
20    - attack.t1557
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_parent:
26        ParentImage|endswith: '\gup.exe'
27    selection_child_img:
28        Image|endswith:
29            - '\cmd.exe'
30            - '\powershell.exe'
31            - '\pwsh.exe'
32            - '\cscript.exe'
33            - '\wscript.exe'
34            - '\mshta.exe'
35    selection_child_cli:
36        CommandLine|contains:
37            - 'bitsadmin'
38            - 'certutil'
39            - 'curl'
40            - 'finger'
41            - 'forfiles'
42            - 'regsvr32'
43            - 'rundll32'
44            - 'wget'
45    condition: selection_parent and 1 of selection_child_*
46falsepositives:
47    - Unlikely
48level: high

References

• Notepad++ v8.8.9 release: Vulnerability-fix | Notepad++

  

  Notepad++ v8.8.9 release: Vulnerability-fix 2025-12-09 Some security experts recently reported incidents of traffic hijacking affecting Notepad++. According to the investigation, traffic from WinGU...

  
  Read More

• Notepad++ updater installed malware

  

  The updater for the open-source editor Notepad++ has installed malware on PCs. An update to Notepad++ v8.8.9 corrects this.

  
  Read More

• The Chrysalis Backdoor: A Deep Dive into Lotus Blossom’s toolkit

  

  Rapid7 Labs, together with the Rapid7 MDR team, has uncovered a sophisticated campaign attributed to the Chinese APT group Lotus Blossom.

  
  Read More

• Exploring the C2 Infrastructure of the Notepad++ Compromise | Validin

  

  How to find additional network infrastructure related to the Notepad++ Compromise

  
  Read More

• The Notepad++ supply chain attack — unnoticed execution chains and new IoCs

  

  Kaspersky GReAT experts discovered previously undocumented infection chains used in the Notepad++ supply chain attacks. The article provides new IoCs related to those incidents which employ DLL sideloading and Cobalt Strike Beacon delivery.

  
  Read More

Related rules

• Notepad++ Updater DNS Query to Uncommon Domains
• Uncommon File Created by Notepad++ Updater Gup.EXE
• Cisco BGP Authentication Failures
• Cisco LDP Authentication Failures
• Huawei BGP Authentication Failures