Threat Hunt: Notepad++ Security Incident

Executive Summary

This hunt focused on three outcome areas:

• Exposure identification:which users/devices had Notepad++ installed and whether updates occurred during the risk-relevant period.
• IOC validation:whether known malicious hashes, IPs, and domains were observed in endpoint and network telemetry.
• Behavioural hunting (IOAs):whether exe exhibited suspicious network or process behaviour consistent with malicious update workflows.

Result: While multiple users had Notepad++ installed, only ~30% had updated during the timeframe when the security issue was observed. No evidence of malicious activity linked to the reported WinGup compromise was identified in the client infrastructure based on available telemetry and retention.

Why This Hunt Matters?

Supply chain compromise scenarios are high impact because attackers can leverage trusted software distribution paths to gain access without typical phishing or exploit precursors. In this case, public reporting clarified:

• Notepad++ was not directly compromised; the issue involved the auto-updater component (WinGup).
• The campaign was reported as highly selective, targeting high-value organisations unlike random mass distribution).
• Validating environment safety requires more than “no alerts”—it requires a proactive check for:
  • update execution evidence,
  • known IoCs,
  • and suspicious updater behaviours.

This hunt provides evidence-based assurance that controls and telemetry can support rapid confirmation of exposure and compromise risk, particularly for selective targeting scenarios.

Hunt Objective & Hypothesis

Objective

To determine whether endpoints in the environment show evidence of:

• Notepad++ presence and updates in the last 12 months (exposure and update coverage),
• execution of malicious updater-related artefacts,
• connections to known malicious infrastructure,
• suspicious behaviour involving gup.exe / update.exe consistent with compromise.

Hypothesis

If WinGup was exploited within the environment, then affected endpoints would exhibit at least one of the following:

• presence/execution of known malicious files (hash matches),
• outbound traffic to reported malicious IPs/domains,
• anomalous process lineage where gup.exe spawns unexpected binaries and/or initiates suspicious external connections as part of an update workflow.

Threat Model: Remcos Style Tradecraft

Trigger

Important Clarification: Notepad++ Security Incident (published 2026-02-05) describing exploitation of the WinGup auto-updater via a compromise of a former hosting provider’s infrastructure, attributed to a state-sponsored actor targeting select organisations.

Threat model focus (high level)

• Initial execution:user-initiated update activity (User Execution)
• Masquerading / obfuscation:deceptive naming and encoded components
• Side-loading / injection:DLL side-loading and process injection tradecraft
• C2 and exfiltration:outbound web-based C2, encrypted channels, possible exfiltration
• Persistence:registry run keys / Windows service modification

Reference IoCs and TTPs

This hunt leveraged IoCs and TTPs as provided by Rapid7 (hashes, IPs, domains) and mapped behaviours aligned to MITRE ATT&CK techniques including:
T1204.002, T1036, T1027, T1140, T1574.002, T1055, T1105, T1071.001, T1547.001, T1543.003, T1070.004 (among others).

Data Sources and Visibility

This hunt used available security telemetry (subject to retention constraints), including:

• Endpoint process execution telemetry (process name, command line, parent/child)
• File events where available (creation/execution, hash where available)
• DNS and proxy / network telemetry for domain lookups and outbound connections
• EDR and SIEM correlation where applicable

Important: Microsoft Sentinel default retention is commonly 90 days. This materially limits retrospective validation for time windows beyond retention for some log types unless extended retention is configured.

Hunt Methodology

1. Establish exposure baseline:enumerate devices/users with Notepad++ installed and identify update activity within the last year.
2. IOC-driven validation:search for known malicious hashes, IPs, and domains across endpoint and network logs.
3. Behavioural hunting (IOA):pivot on exe / update.exe execution to identify anomalous:
   • network connections,
   • process children and spawned binaries,
   • unusual execution paths or timing patterns.
4. Triage and validation:where suspicious signals appear, validate via process lineage, reputation, prevalence, and corroborating telemetry.

Hunt Area

Exposure / Inventory Queries

• Query A: Identify users and endpoints with Notepad++ installed and whether it was updated in the last 12 months.

Indicator of Compromise (IOC) Queries

• Query B: Search for known malicious file hashes associated with the incident.
• Query C: Search for known malicious IP addresses:

• 179.213.0
• 4.102.97
• 110.7.32
• 222.137.114

• Query D: Search for known malicious domains:

• api[.]skycloudcenter[.]com
• api[.]wiresguard[.]com

Indicator of Attack (IOA) / Behavioural Hunts

• #1 — Suspicious network activity from gup.exe
• #2 — gup.exe spawning unexpected binaries
• #3 — gup.exe connecting to suspicious domains as part of update process

What We Observed?

While no confirmed malicious activity was identified during this hunt, the engagement produced clear, evidence-based outcomes incase there was an active threat. These outcomes validate defensive posture against a realistic and relevant threat model, rather than relying on assumptions.

Notepad++ exposure exists, but update coverage was limited during the risk window

Multiple users had Notepad++ installed across the environment; however, only ~30% had updated within the timeframe when the security issue was reported as observed.

• Why it matters:Lower update coverage can increase exposure duration if a compromised update channel were encountered, and it can complicate assurance activities when versions vary across the fleet.

No evidence of IoC presence (hashes, domains, IPs) in available telemetry

Across the searched telemetry sources and available retention windows, there was no evidence of:

• endpoints matching the provided malicious file hashes,
• outbound connections to the listed malicious IP addresses,
• DNS/proxy activity involving the listed malicious domains.

Outcome: This reduces the likelihood that the environment was impacted by the reported WinGup compromise based on known published indicators.

gup.exe behaviour did not indicate malicious update activity

The gup.exe-focused behavioural hunts did not identify patterns consistent with malicious update execution, including:

• no suspicious outbound network activityattributable to gup.exe,
• no anomalous child process spawninglinked to gup.exe indicative of staging/execution,
• no connections to suspicious domainsas part of an update workflow.

Outcome: No behavioural evidence was found to suggest updater-driven compromise.

Retention constraints limit long lookback assurance without extended retention

Where validation required checking activity potentially outside current log retention windows, confidence relies on the completeness of retained telemetry. With Sentinel’s common 90-day default retention, full retrospective coverage for “last year” validation is reduced unless extended retention is enabled for key logs.

Outcome: The current result is high confidence within observed timeframes for different customers, but longer-dwell assurance improves with extended retention.

Key Insight for Leadership

This hunt converted a high-profile supply chain concern into a measured, evidence-based outcome:

• The environment does have Notepad++ installed across multiple endpoints, and patch/update coverage during the relevant window was limited.
• Despite that exposure, there is no observable evidence(IoCs or behaviours) indicating that the compromised WinGup updater was leveraged within the client environment based on available telemetry.

This provides assurance while also highlighting a clear improvement area: update compliance and longer-term log retention to support future retrospective investigations.

Defensive Recommendations

Based on the outcomes of this hunt, the following recommendations are directly grounded in observed telemetry and validated exposure points, rather than generic best practices.

Note: Sentinel default retention is typically 90 days. It is recommended to enable extended retention of at least one year for key logs (device, network, authentication, DNS/proxy) to support investigations and threat hunts with longer dwell-time assumptions.

Improve third-party application update compliance and reporting

• Establish a managed update posture for high-usage third-party applications (including Notepad++) using enterprise packaging (e.g., MSI deployment) and compliance reporting.
• Track update success/failure and version distribution across the fleet.

Benefit: Reduces exposure windows and ensures faster response to supply chain advisories.

Standardise Notepad++ deployment configuration (minimise updater risk)

• For enterprise deployments, prefer the MSI package and consider disabling the auto-updater where operationally appropriate
• Restrict installation sources to approved software channels.

Benefit: Reduces reliance on updater execution paths and limits unexpected update behaviour.

Implement targeted detections for suspicious updater tradecraft

• Add detections/analytics for:
  • exeor update.exe initiating outbound connections to rare/unseen domains,
  • exespawning interpreters or LOLBins (e.g., cmd.exe, powershell.exe, rundll32.exe),
  • updater processes executing from non-standard or user-writable paths.

Benefit: Improves early warning capability for updater abuse and side-loading patterns.

Strengthen application allowlisting and execution controls for user-writable paths

• Where feasible, harden controls to reduce execution from user-writable directories (AppData/Temp/Downloads), especially for unsigned binaries and DLL loads.
• Validate controls against DLL side-loading opportunities aligned to 002.

Benefit: Reduces attacker ability to stage payloads and side-load via legitimate processes.

Formalise a rapid “IoC to Hunt” playbook for supply chain events

• Create a repeatable process to ingest vendor/third-party IoCs (hash, domain, IP) into SIEM/EDR hunts within hours.
• Define escalation thresholds (e.g., hash match = incident; domain hit = triage; gup.exe unusual lineage = priority investigation).

Benefit: Shortens time-to-certainty when new public compromise reports emerge

Compliance Contribution

From a governance and risk perspective, this hunt supports meeting various compliance controls in multiple regulations and compliance frameworks such as:

• 5.24, A.5.25, A.5.26 in ISO 270001,
• CPS 234 ¶30(c), ¶32 in APRA 234,
• Incident Response controls in Essential 8 controls,
• 4, CC7.5 in SOC 2

About Orro Group

Orro Group delivers proactive threat hunting, incident response, 24×7 security monitoring and security assurance services focused on real world attacker behaviour. We help organizations move beyond alerts and build confidence in their defensive posture. Contact us for more information at https://orro.group/contact/