Suspicious Child Process of Notepad++ Updater - GUP.Exe

Hunt Hypothesis

Detects suspicious child process creation by the Notepad++ updater process (gup.exe). This could indicate potential exploitation of the updater component to deliver unwanted malware.

Detection Rule

Sigma (Original)

title: Suspicious Child Process of Notepad++ Updater - GUP.Exe
id: bb0e87ce-c89f-4857-84fa-095e4483e9cb
status: experimental
description: |
    Detects suspicious child process creation by the Notepad++ updater process (gup.exe).
    This could indicate potential exploitation of the updater component to deliver unwanted malware.
references:
    - https://notepad-plus-plus.org/news/v889-released/
    - https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
    - https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
    - https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
    - https://securelist.com/notepad-supply-chain-attack/118708/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2026-02-03
tags:
    - attack.collection
    - attack.credential-access
    - attack.t1195.002
    - attack.initial-access
    - attack.t1557
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|endswith: '\gup.exe'
    selection_child_img:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\cscript.exe'
            - '\wscript.exe'
            - '\mshta.exe'
    selection_child_cli:
        CommandLine|contains:
            - 'bitsadmin'
            - 'certutil'
            - 'curl'
            - 'finger'
            - 'forfiles'
            - 'regsvr32'
            - 'rundll32'
            - 'wget'
    condition: selection_parent and 1 of selection_child_*
falsepositives:
    - Unlikely
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (ParentProcessName endswith "\\gup.exe" or ActingProcessName endswith "\\gup.exe") and ((TargetProcessName endswith "\\cmd.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\cscript.exe" or TargetProcessName endswith "\\wscript.exe" or TargetProcessName endswith "\\mshta.exe") or (TargetProcessCommandLine contains "bitsadmin" or TargetProcessCommandLine contains "certutil" or TargetProcessCommandLine contains "curl" or TargetProcessCommandLine contains "finger" or TargetProcessCommandLine contains "forfiles" or TargetProcessCommandLine contains "regsvr32" or TargetProcessCommandLine contains "rundll32" or TargetProcessCommandLine contains "wget"))

Required Data Sources

False Positive Guidance

• Unlikely

MITRE ATT&CK Context

• Tactic: Collection
• Tactic: Credential Access
• Tactic: Initial Access
• Technique: T1195.002 — Compromise Software Supply Chain

  Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of way

• Technique: T1557 — Adversary-in-the-Middle

  Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https:/

Validation (Atomic Red Team)

Use these Atomic Red Team tests to validate this detection fires correctly:

• T1195.002 — Compromise Software Supply Chain

References

• https://notepad-plus-plus.org/news/v889-released/
• https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
• https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
• https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
• https://securelist.com/notepad-supply-chain-attack/118708/
• SigmaHQ Rule