Chinese hackers used Notepad++ as a backdoor for months to install malware.
The update infrastructure of Notepad++, an open source alternative to Notepad, was compromised for six months, allowing attackers to distribute manipulated versions of the popular Windows text editor to targeted victims.
Targeted attacks via update channel
Developers confirm that attackers have been intercepting and redirecting update traffic to malicious servers since June last year. Notepad++ only regained full control of its infrastructure in December. According to several security researchers, the trail leads to a Chinese-backed threat group.
According to a researcher in Arstechnica, the attackers exploited weak verification in older update processes. This allowed them to send certain users to alternative download servers. A new backdoor was installed there, giving them remote control over the system for data theft.
Technical vulnerability
Notepad++ used its own updater that retrieved information via an XML file. By manipulating the traffic, attackers could adjust the download location. Although more recent versions use digital signing, the control in older releases proved insufficiently robust.
The developers recommend manually installing at least version 8.9.1 via the official website. Organizations with stricter security requirements may consider blocking automatic updates or restricting network access for the updater.