Florian Roth ⚡️ on X: "Rapid7 dropped a write-up on the Notepad++ update-chain abuse and - finally - it comes with real IOCs - update.exe downloaded from 95.179.213[.]0 after notepad++.exe -> GUP.exe - file hashes for update.exe / log.dll / BluetoothService.exe / conf.c / libtcc.dll - network IOCs https://t.co/UlLkyZM6eC" / X Rapid7 dropped a write-up on the Notepad++ update-chain abuse and - finally - it comes with real IOCs - update.exe downloaded from 95.179.213[.]0 after notepad++.exe -> GUP.exe - file hashes for update.exe / log.dll / BluetoothService.exe / conf.c / libtcc.dll - network IOCs https://t.co/UlLkyZM6eC

FYI we got some IOCs from @rapid7.com
x.com/cyb3rops/sta...

Write-up says update traffic was selectively redirected to attacker-controlled servers & hints at a CN state group

If that’s the case, there must be at least some infra IOCs: IPs/FQDNs, redirect URL

Even if you don’t have package hashes, can you share infra IOCs so people can check proxy/DNS logs?

Never give up! We got your back

🫶😹