Kaspersky Reveals Hidden Attack Chains in Notepad++ Supply Chain Breach

KHADAMATY–NEW

Kaspersky’s Global Research and Analysis Team (GReAT) has uncovered a sophisticated supply-chain compromise involving the widely used Notepad++ software. While confirmed incidents were detected in organizations across Asia and Latin America, the findings raise serious concerns for governments, financial institutions and service providers in the Middle East that rely heavily on popular software tools

According to Kaspersky researchers, attackers targeted a government entity in the Philippines, a financial institution in El Salvador, an IT service provider in Vietnam, as well as individual users in three different countries. The campaign involved at least three separate infection chains, two of which remain undisclosed to the public

The investigation revealed that between July and October 2025, the threat actors repeatedly modified their malware, command-and-control (C2) infrastructure and delivery mechanisms on an almost monthly basis. Notably, the only attack chain previously documented publicly represents just the final stage of a much longer and more complex operation

On February 2, 2026, the Notepad++ development team confirmed that its update infrastructure had been compromised following a security incident involving its hosting provider. However, earlier reports focused solely on malware detected in October 2025, leaving organizations unaware that entirely different indicators of compromise (IoCs) were used during the July–September period

Each attack chain relied on distinct malicious IP addresses, domain names, execution techniques and payloads. As a result, organizations that limited their investigations to the October IoCs may have failed to detect earlier infections. Kaspersky solutions successfully blocked all identified attacks at the time they occurred

“Defenders who scanned their environments using only the publicly known indicators and found no evidence of compromise should not assume they are safe,” said Georgy Kucherin, Senior Security Researcher at Kaspersky GReAT. “The infrastructure used between July and September was completely different — different IP addresses, domains and file hashes. Given how frequently the attackers changed their tools, additional undiscovered attack chains cannot be ruled out

Although confirmed victims were located outside the Middle East, the campaign closely mirrors the threat landscape facing governments, banks and critical service providers in the region. The widespread use of developer tools and IT management software, coupled with rapid digital transformation initiatives, makes similar supply-chain attacks both plausible and challenging to detect