December 3, 2023

Researchers have revealed that threat actors may abuse Notepad++ plugins to bypass security mechanism and achieve persistence on their victim machine.

A security researcher that goes by the name RastaMouse was able to demonstrate how to build a malicious plugin that can be used as a persistence mechanism,” in an advisory.


The plugin pack itself is just a .NET package for Visual Studio that provides a basic template for building plugins. APT groups have leveraged Notepad++ plugins for nefarious purposes in the past.

StrongPity APT group is known to leverage a legitimate Notepad++ installer accompanied with malicious executables, allowing it to persist after a reboot on a machine.This backdoor enables this threat actor to install a keylogger on the machine and communicate with a C2 server to send the output of this software.

Using the C# programming language, the security experts created a dynamic link library (DLL) running a PowerShell command on the first initial press of any key inside Notepad++. 

Executing Notepad++ as ‘administrator’ and re–ran the payload, effectively managing to achieve administrative privileges on the affected system.


To mitigate this threat, the security experts said companies should monitor unusual child processes of Notepad++ and pay special attention to shell product types.

This research was documented by researchers from Cybereason

Indicators of Compromise

Npp_Persistence_Plugin.dll 90BC7FA90705148D8FFEEF9C3D55F349611905D3F7A4AD17B956CD7EE7A208AF

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: