Kaspersky GReAT (Global Research and Analysis Team of Kaspersky Lab) has revealed new details about the cyberattack on the popular open-source Notepad++ text editor for Windows. According to experts, the attack lasted from summer to December 2025.
According to Kaspersky GReAT, only one infection chain, discovered in October 2025, was initially known. However, it has now become known that the attackers used at least three different infection chains, two of which were previously undocumented.
From July to September, the attackers' infrastructure completely changed every month: the attackers rewrote the infection chain, changed malicious IP addresses, domains, and malicious payloads. This allowed them to remain undetected and made it difficult to detect signs of infection. The targets of the attack were IT service providers, government agencies, and financial organizations in Australia, Latin America, and Southeast Asia.
Georgy Kucherin, an expert at Kaspersky GReAT, emphasized that organizations that have checked their systems against known indicators of compromise (IoC) and have not found signs of infection should not consider themselves safe. He pointed out that from July to September, the attackers' infrastructure was completely different, and called for a more thorough check of systems.