• Home
• Technology

Kaspersky, through its Global Research and Analysis Team (GReAT), has uncovered a highly sophisticated cyberattack campaign that exploited vulnerabilities in the software supply chain of Notepad++, marking one of the most serious threats to widely used development tools relied upon by developers and IT organizations worldwide.

Although the confirmed attacks targeted entities in Asia and Latin America, Kaspersky warned that the nature and complexity of the campaign pose a direct and relevant threat to Middle Eastern governments, financial institutions, and critical service providers, which heavily depend on popular software tools within digital work environments.

Multi-Stage Campaign with Unprecedented Infection Chains

According to GReAT researchers, the attackers compromised a government organization in the Philippines, a financial institution in El Salvador, and an IT services provider in Vietnam, in addition to individual users across three different countries. The campaign employed at least three distinct infection chains, two of which had never been publicly documented before.

Kaspersky revealed that the threat actors continuously modified their malware, command-and-control (C2) infrastructure, and distribution techniques on an almost monthly basis between July and October 2025. The attack chain previously reported in public disclosures represents only the final stage of a much longer and more complex operation.

Compromised Update Infrastructure and Delayed Detection

On February 2, 2026, the developers of Notepad++ confirmed a breach of the software’s update infrastructure caused by a security incident at a hosting service provider. However, earlier reports focused solely on the malware discovered in October 2025, overlooking the distinct indicators of compromise used between July and September.

Kaspersky noted that each attack chain relied on different malicious IP addresses, domains, payloads, and execution methods. As a result, organizations that scanned their systems using only the indicators associated with the October incident may have entirely missed earlier infections. The company confirmed that its security solutions successfully blocked all identified attacks in real time.

Warning to Cybersecurity Defenders

Georgy Kucherin, Senior Security Researcher at Kaspersky’s GReAT, stated:

“Defenders who checked their systems only against known indicators and found nothing should not assume they are safe. The infrastructure used between July and September was completely different in terms of IP addresses, domains, and file hashes. Given the attackers’ constant tool changes, additional undiscovered infection chains cannot be ruled out.”

Serious Implications for the Middle East

While no confirmed victims were located in the Middle East, Kaspersky emphasized that the campaign mirrors the types of threats facing the region’s governments, banks, and critical infrastructure providers. The widespread reliance on developer tools and IT management platforms—combined with rapid digital transformation initiatives—significantly increases the risk and stealth of supply-chain attacks.

The company stressed that incidents occurring in distant regions may expose local weaknesses in software trust models, update verification mechanisms, and long-term threat monitoring capabilities.

Technical Details and Indicators of Compromise

Kaspersky’s GReAT team published a comprehensive list of indicators of compromise, including six hashes of malicious updater files, 14 command-and-control server URLs, and eight previously unreported malware file hashes. The full technical analysis is available on Securelist.