Kaspersky Reveals Previously Undetected Attack Chains in Notepad++ Supply-Chain Compromise
Researchers from the Global Research and Analysis Team (GReAT) at Kaspersky have uncovered a complex and previously underreported supply-chain compromise involving the popular open-source software Notepad++, exposing risks that extend far beyond the initially reported incidents and are highly relevant to organizations in the Middle East.
According to Kaspersky GReAT, the campaign was observed targeting a range of entities, including a government organization in the Philippines, a financial institution in El Salvador, an IT service provider in Vietnam, and individual users across three different countries. The investigation revealed the use of at least three distinct infection chains, two of which had not been publicly documented prior to this disclosure.
Researchers found that the attackers demonstrated a high level of operational sophistication, completely revamping their malware, command-and-control infrastructure, and delivery mechanisms on an almost monthly basis between July and October 2025. The attack chain previously disclosed publicly represents only the final stage of a much longer and more intricate operation.
Notepad++ developers confirmed on February 2, 2026, that their update infrastructure had been compromised following an incident involving a third-party hosting provider. However, earlier public reports focused solely on malware activity detected in October 2025, leaving organizations unaware that entirely different indicators of compromise were used during the July–September period.
Each infection chain relied on unique malicious IP addresses, domain names, execution techniques, and payloads. As a result, organizations that limited their investigations to the indicators associated with the October attacks may have failed to detect earlier compromises. Kaspersky solutions successfully blocked all identified attack attempts at the time they occurred.
“Defenders who checked their systems against the publicly known indicators of compromise and found nothing should not assume they are in the clear,” said Georgy Kucherin, Senior Security Researcher at Kaspersky GReAT. “The infrastructure used between July and September was completely different — different IPs, different domains, different file hashes. Given how frequently the attackers rotated their tooling, we cannot rule out the existence of additional, as-yet-undiscovered attack chains.”
While all confirmed victims were located outside the Middle East, Kaspersky experts warned that the techniques and tactics observed closely mirror the threat models faced by governments, banks, and critical service providers across the region. The widespread reliance on commonly used developer tools and IT administration software, combined with accelerated digital transformation initiatives, increases both the likelihood and the potential impact of similar supply-chain attacks.
For Middle East organizations, the campaign underscores the importance of robust software trust models, strict update verification processes, and continuous, long-term threat hunting. Kaspersky researchers emphasized that geographically distant incidents can still reveal significant blind spots in local cybersecurity defenses.
Kaspersky GReAT has published a comprehensive list of indicators of compromise, including six malicious updater hashes, 14 command-and-control URLs, and eight previously unreported malicious file hashes. The full technical analysis and complete IoC list are available on Securelist.