Suspicious Child Process of Notepad++ Updater - GUP.Exe

Rule Info

Name
Suspicious Child Process of Notepad++ Updater - GUP.Exe
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects suspicious child process creation by the Notepad++ updater process (gup.exe). This could indicate potential exploitation of the updater component to deliver unwanted malware.
Reference
https://notepad-plus-plus.org/news/v889-released/
Date
2026-02-03 00:00:00
Modified
None
Id
bb0e87ce-c89f-4857-84fa-095e4483e9cb
Tags
attack.collection attack.credential-access attack.t1195.002 attack.initial-access attack.t1557
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=bb0e87ce-c89f-4857-84fa-095e4483e9cb

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5854 from @swachchhanda000 - Add Notepad++ Infrastructure Abuse Rules
2026-02-04
76f4a42eb
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022