China's State-Backed Hackers Hijacked Notepad++ Update Infrastructure, Delivering a Backdoored Version to Select Targets
In a major cyber espionage operation, suspected China-state hackers hijacked the update infrastructure for Notepad++, a widely used text editor for Windows. The attack lasted for six months, allowing the attackers to deliver a backdoored version of the app to select targets.
According to independent researcher Kevin Beaumont, the attackers compromised an "infrastructure-level" vulnerability in Notepad++'s update process, which allowed them to intercept and redirect update traffic destined for notepad-plus-plus.org. The malicious actors then selectively redirected certain targeted users to malicious update servers where they received backdoored updates.
The attackers installed a custom, feature-rich backdoor, dubbed Chrysalis, which has been described as "sophisticated and permanent." The payload was never-before-seen and indicates that the attackers had significant resources at their disposal.
Experts warn that the vulnerabilities in Notepad++'s update process were easily exploitable and could have been fixed with sufficient resources. The attack highlights the risks associated with relying on third-party services for software updates, particularly when those services are vulnerable to cyber espionage.
To mitigate this risk, users are advised to run the official version 8.8.8 or higher installed manually from notepad-plus-plus.org. Larger organizations should consider blocking notepad-plus-plus.org or blocking the gup.exe process from having internet access.
In a major cyber espionage operation, suspected China-state hackers hijacked the update infrastructure for Notepad++, a widely used text editor for Windows. The attack lasted for six months, allowing the attackers to deliver a backdoored version of the app to select targets.
According to independent researcher Kevin Beaumont, the attackers compromised an "infrastructure-level" vulnerability in Notepad++'s update process, which allowed them to intercept and redirect update traffic destined for notepad-plus-plus.org. The malicious actors then selectively redirected certain targeted users to malicious update servers where they received backdoored updates.
The attackers installed a custom, feature-rich backdoor, dubbed Chrysalis, which has been described as "sophisticated and permanent." The payload was never-before-seen and indicates that the attackers had significant resources at their disposal.
Experts warn that the vulnerabilities in Notepad++'s update process were easily exploitable and could have been fixed with sufficient resources. The attack highlights the risks associated with relying on third-party services for software updates, particularly when those services are vulnerable to cyber espionage.
To mitigate this risk, users are advised to run the official version 8.8.8 or higher installed manually from notepad-plus-plus.org. Larger organizations should consider blocking notepad-plus-plus.org or blocking the gup.exe process from having internet access.
. If a state-backed hacker group can take down Notepad++'s update infrastructure, just imagine what other popular software is vulnerable 
. This is a massive reminder that we need to be super careful when relying on third-party services for updates. Manual updates only from now on, folks! 
i was at this festival last weekend and they had these VR stations set up and it was SO COOL! u can just put on a headset and explore virtual worlds, like actual worlds. not sure if its worth the price tho... but it looks so dope 
just found out that those China-state hackers hijacked Notepad++ update infrastructure 
. Anyone else worried about this? 
. On the bright side, Notepad++'s team did manage to release an updated version with a fix, so fingers crossed nobody got totally taken advantage of 
. But still, gotta keep an eye on those updates, y'know?
Anyway, I think it's super lame that these hackers can just take advantage of vulnerable software updates like this. Can't we just get our tech companies to double-check their stuff before releasing new versions? 
It's like, easy peasy to fix vulnerabilities if you've got the resources... but I guess some people don't care about security as much as others do. 