Listen to this Post
Introduction:
A sophisticated supply chain attack has compromised the popular text editor Notepad++, turning it into a stealthy vehicle for malware deployment. Attackers hijacked the update mechanism to deliver a Lua-based execution framework capable of running shellcode directly in memory, evading traditional file-based detection. This incident underscores the critical danger posed by supply chain compromises and the advanced tradecraft of state-aligned threat actors.
Learning Objectives:
- Understand the infection chain and persistence mechanism of the Notepad++ supply chain attack.
- Learn to identify the Lua-based, in-memory shellcode execution technique using
EnumWindowStationsW. - Develop detection and hunting strategies for similar attacks using command-line and log analysis.
You Should Know:
- The Infection Chain: From Compromised Update to Silent Persistence
The attack began with the compromise of the legitimate Notepad++ update server. Users who updated their software between July and October 2025 unknowingly fetched a malicious installer. This installer deployed a downloader component, which then retrieved the final payload—a Lua script designed for in-memory execution. Persistence was achieved by registering a malicious DLL as a Windows service, ensuring survival after reboots.
Step-by-step guide:
To check for suspicious services or DLLs installed during this timeframe, use PowerShell and Windows Command Prompt.
List recently created/modified services:
Get-WmiObject Win32_Service | Where-Object { $<em>.PathName -like "notepad++" -or $</em>.Name -like "np++" } | Select Name, DisplayName, State, PathName, StartMode
Hunt for DLLs registered via `regsvr32` or similar:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved dir /s /od C:\Windows\System32.dll | findstr "10/2025 09/2025 08/2025 07/2025"
This initial foothold gave attackers a trusted process (notepad++.exe) to host their malicious code.
- The Core Trick: Lua Scripts and the `EnumWindowStationsW` API
The payload’s ingenuity lies in its use of Notepad++’s built-in Lua scripting engine. Attackers embedded malicious Lua code that used the Windows API call `EnumWindowStationsW` as a shellcode execution function. This technique allocates memory, writes position-independent shellcode, and executes it without ever touching the disk, a method known as “Living-off-the-Land” (LOL) via a trusted application.
Step-by-step guide:
Analyze process memory for signs of this technique.
Use `tasklist` to find Notepad++ PID:
tasklist /v | findstr /i "notepad++"
Inspect the process with `pmap` (from Sysinternals Suite) or via a memory analysis tool:
pmap.exe -x [bash]
Look for unexpected memory regions with READ-WRITE-EXECUTE (RWX) permissions, which are a strong indicator of shellcode injection.
3. Evasion Mastery: Constantly Rotating Infrastructure
The attackers displayed operational security by rotating Command and Control (C2) servers, downloader URLs, and payload hashes every few weeks. This “infrastructure agility” made static blocklisting of IoCs (Indicators of Compromise) largely ineffective shortly after publication.
Step-by-step guide:
Network hunting for suspicious outbound connections from Notepad++.
On Windows, use `netstat` to see active connections from the process:
netstat -ano | findstr [Notepad++_PID]
On a network sensor (Linux-based SIEM/IDS), create a rule to alert on Notepad++ making web calls:
Suricata/Snort-style rule concept alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"SUSPICIOUS - Notepad++ HTTP Request"; flow:established,to_server; app-layer-event:http.request; http.host; content:"notepad-plus-plus.org"; nocase; sid:1000001; rev:1;)
Correlate this with connections to newly registered domains or low-reputation IPs.
- Detection & Forensics: Hunting for the Lua Payload
The malicious Lua script must be extracted from memory or disk for analysis. It may be stored in Notepad++’s plugin directory or within a crafted configuration file.
Step-by-step guide:
Search for anomalous Lua files.
On a Windows endpoint:
dir /s /b C:\Program Files\Notepad++\plugins.lua dir /s /b C:\Users\AppData\Roaming\Notepad++.lua
Check file hashes against known IoCs (from the report). Use PowerShell to get hashes:
Get-FileHash -Path "C:\path\to\suspicious.lua" -Algorithm SHA256
Compare the output to the SHA256 hashes published in the threat report (linked in the original post).
- Mitigation & Hardening: Securing the Software Supply Chain
This attack highlights the need for robust software update integrity checks and application allowlisting.
Step-by-step guide:
Implement controls to prevent execution from untrusted paths.
Enable Windows Defender Application Control (WDAC) or AppLocker policies:
Example: Create a WDAC policy allowing only signed software from trusted publishers New-CIPolicy -Level Publisher -FilePath "C:\Temp\BasePolicy.xml" -UserPEs
Enforce code signing verification for scripts (including Lua) via Group Policy:
Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell > Turn on Script Execution. Set to “Allow only signed scripts”.
Network Segmentation: Restrict outbound internet access for development tools and non-browser applications using firewall rules.
What Undercode Say:
- Trust is the Ultimate Vulnerability. This attack weaponizes the implicit trust users and systems have in a widely used, reputable open-source project. It’s a stark reminder that no software, regardless of its reputation, is immune to supply chain compromise.
- Fileless is Frictionless. The shift towards in-memory, fileless execution using legitimate application features (like the Lua engine) represents the new frontier of stealth. Detection must now heavily focus on behavior, process memory anomalies, and lateral movement rather than just static files on disk.
The Notepad++ incident is a blueprint for future high-end supply chain attacks. We predict a significant increase in attacks targeting niche but critical developer tools (text editors, package managers, version control plugins) used by IT professionals. These tools offer high privileges, trusted processes, and often lack rigorous security oversight. The future will see more “living-off-the-trusted-application” techniques, blending seamlessly with normal operations and forcing a paradigm shift from signature-based detection to continuous behavior and attestation-based security models.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Jamie Williams – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
