Notepad++ Updater DNS Query to Uncommon Domains

Rule Info

Name
Notepad++ Updater DNS Query to Uncommon Domains
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects when the Notepad++ updater (gup.exe) makes DNS queries to domains that are not part of the known legitimate update infrastructure. This could indicate potential exploitation of the updater mechanism or suspicious network activity that warrants further investigation.
Reference
https://notepad-plus-plus.org/news/v889-released/
Date
2026-02-02 00:00:00
Modified
None
Id
2074e137-1b73-4e2d-88ba-5a3407dbdce0
Tags
attack.collection attack.credential-access attack.t1195.002 attack.initial-access attack.t1557
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=2074e137-1b73-4e2d-88ba-5a3407dbdce0

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5854 from @swachchhanda000 - Add Notepad++ Infrastructure Abuse Rules
2026-02-04
76f4a42eb
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022