The information is shared on an as-is basis, reflecting the data available and observed at the time of investigation. The below information reflects attacker activity observed within our hosting environment. As the malicious Notepad++ update was not hosted on our infrastructure, we do not have visibility into the full attack chain of the Notepad++ incident or potential impact on users affected by the malware. Because of the above, please consider the shared information as part of your overall review of the Notepad++ incident. 


Please note that the following IOCs are provided and must be used solely to support incident response and defensive security measures (such as detecting, preventing, or mitigating malicious activity) related to the incident affecting your environment, and can not be used for unrelated purposes.


1) Observed malicious actor infrastructure IPs

212[.]30[.]60[.]8

94[.]190[.]195[.]237

146[.]70[.]113[.]105

194[.]114[.]136[.]211

8[.]216[.]128[.]215

116[.]251[.]216[.]119

217[.]69[.]5[.]44

188[.]166[.]199[.]140

2001[:]19f0[:]6801[:]950[:]5400[:]5ff[:]feb2

61[.]4[.]102[.]97

172[.]233[.]246[.]7

Disclaimer and limitation:
It is important to note that these IP addresses should not be considered definitive indicators of end-user compromise. The activity observed was associated with attacker access to and attacks against the hosting environment. These IPs may change frequently and may not correspond to any network activity on affected end-user systems that downloaded or executed the malicious installer.

2) User-Agent strings (used to communicate with the PHP tunnel created by the attacker) observed 

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.3h

Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/53736 (KHTML, like Gecko) Chrome/109.1.2.3

3) Malicious PHP files identified on shared hosting (SHA-256)

.in.compat1.php â€” 02368c6b62cb392dddd35cfc6cb8c1154f7ebdceb9fb559cefc301982d6fbbf9

index1.php â€” 0dcd846cdfdc793fab39a3c9860e0f6ab68cdbdcf4b03a87e8a02df0d3e1249f

index.php â€” 5dd766a7a378c97eb8c9fe9a4bff678e3c9a05386911f4296e094407b99c23d2

suo5.php â€” 6a7a8aa91109c25d57fe2ca71c150ca09afc1bf10c98376adf959dbc91010394

Related tooling reference:

https://github.com/zema1/suo5

4) Additional access pattern context (non-IOC)

For situational awareness, access to the attacker-controlled shared hosting accounts were observed from multiple geographic regions, including Taiwan, Vietnam, Singapore, Hong Kong, Japan, and China, using ProtonVPN. Different source IP addresses were used across sessions.