title: Suspicious Child Process of Notepad++ Updater - GUP.Exe
id: bb0e87ce-c89f-4857-84fa-095e4483e9cb
status: experimental
description: |
    Detects suspicious child process creation by the Notepad++ updater process (gup.exe).
    This could indicate potential exploitation of the updater component to deliver unwanted malware.
references:
    - https://notepad-plus-plus.org/news/v889-released/
    - https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
    - https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
    - https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-03
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1195.002
    - attack.initial-access
    - attack.t1557
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\gup.exe'
    selection_child_img:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cscript.exe'
            - '\wscript.exe'
            - '\mshta.exe'
    selection_child_cli:
        CommandLine|contains:
            - 'bitsadmin'
            - 'certutil'
            - 'curl'
            - 'finger'
            - 'forfiles'
            - 'regsvr32'
            - 'rundll32'
            - 'wget'
    condition: selection_parent and 1 of selection_child_*
falsepositives:
    - Unlikely
level: high

title: Uncommon File Created by Notepad++ Updater Gup.EXE
id: 3b8f4c92-6a51-4d7e-9c3a-8e2d1f5a7b09
status: experimental
description: |
    Detects when the Notepad++ updater (gup.exe) creates files in suspicious or uncommon locations.
    This could indicate potential exploitation of the updater component to deliver unwanted malware or unwarranted files.
references:
    - https://notepad-plus-plus.org/news/v889-released/
    - https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
    - https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
    - https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-03
modified: 2026-03-16
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1195.002
    - attack.initial-access
    - attack.t1557
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\gup.exe'
    filter_main_legit_paths:
        TargetFilename|startswith:
            - 'C:\Program Files\Notepad++\'
            - 'C:\Program Files (x86)\Notepad++\'
    filter_main_temp_update_installer:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains|all:
            - '\AppData\Local\Temp\'
            - 'npp.'
            - '.Installer.'
            - '.exe'
    filter_main_temp_generic_zip:
        TargetFilename|startswith: 'C:\Users\'
        TargetFilename|contains|all:
            - '\AppData\Local\Temp\'
            - '.zip'
    filter_main_recycle_bin:
        TargetFilename|startswith: 'C:\$Recycle.Bin\S-1-5-21'
    filter_main_plugins:
        - TargetFilename|contains:
              - '\plugins\JsonTools\testfiles\'
              - '\Notepad++\plugins\ComparePlugin\'
        - TargetFilename|contains|all:
              - 'npp.'
              - '.portable.'
              - '\plugins\'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Custom or portable Notepad++ installations in non-standard directories.
    - Legitimate update processes creating temporary files in unexpected locations.
level: high

title: Notepad++ Updater DNS Query to Uncommon Domains
id: 2074e137-1b73-4e2d-88ba-5a3407dbdce0
status: experimental
description: |
    Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure.
    This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
references:
    - https://notepad-plus-plus.org/news/v889-released/
    - https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
    - https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
    - https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-02
modified: 2026-03-16
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1195.002
    - attack.initial-access
    - attack.t1557
logsource:
    category: dns_query
    product: windows
detection:
    selection:
        Image|endswith: '\gup.exe'
    filter_main_notepad_legit_domain:
        QueryName: 'notepad-plus-plus.org'
    filter_optional_sourceforge_legit_domain:
        QueryName|endswith: '.sourceforge.net'
    filter_optional_github_legit_domain:
        - QueryName|endswith: '.githubusercontent.com'
        - QueryName: 'github.com'
    filter_optional_google_storage_legit_domain:
        QueryName|endswith: '.googleapis.com'
    filter_optional_uncommon_domains:
        QueryName|endswith:
            - '.azurewebsites.net'
            - 'block.opendns.com'
            - 'gateway.zscalerthree.net'
    # Add other known legitimate domains if any
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Some legitimate network misconfigurations or proxy issues causing unexpected DNS queries.
    - Other legitimate query to official domains not listed in the filter, needing tuning.
level: medium # can be upgraded to high after tuning with known legitimate DNS queries