This is the latest discovery from experts of the Global Research and Analysis Group (GReAT) under Kaspersky. Accordingly, the attack chains from the Notepad++ supply chain infringement incident (a free source code editor favored by many users), including information technology service providers in Vietnam, an agency in the Philippines, a financial organization in El Salvador and many other individual users in three countries. The attack group deployed at least three different infectious chains, of which two chains had never been recorded before.
During the monitoring process, cybersecurity experts noticed that the hacker group continuously changed and upgraded the attack toolkit. From July to October 2025, malware, control server infrastructure (C&C) and even distribution methods were changed almost every month, showing the very high level of investment and adaptability of the attacker. Therefore, the attack chain that was previously announced is actually only part of a much longer and more complex campaign.
By early February 2026, Notepad++ developers revealed that their updated infrastructure had been compromised due to incidents from storage service providers. Previous public reports only focused on malware detected in October 2025, leaving organizations unaware of other signs of intrusion used from July to September.
Each attack chain uses different malicious IP addresses, domain names and malware activation methods. Therefore, organizations that only review the system based on the intrusion index recorded in October are likely to have completely missed previous infections. Kaspersky's solutions have detected and prevented all attacks identified at the time they occurred.
Mr. Georgy Kucherin, a security expert at Kaspersky's Global Analysis and Research Group, said: "The infrastructure that the attacking group used in the period from July to September was completely different, from IP addresses, domain names to the hash code of files. With such rotation of tools, we cannot rule out the possibility that there are still other attack chains that have not been detected.
Kaspersky's cybersecurity experts have also released a full list of intrusion indicators, including six hash codes of malicious updates, 14 control server URLs (C&C) and eight hash codes of malicious files that have never been recorded before.
