Suspicious Child Process of Notepad++ Updater - GUP.Exe

Title: Suspicious Child Process of Notepad++ Updater - GUP.Exe
Status: experimental
Description:Detects suspicious child process creation by the Notepad++ updater process (gup.exe). This could indicate potential exploitation of the updater component to deliver unwanted malware.
References:
  -https://notepad-plus-plus.org/news/v889-released/
  -https://www.heise.de/en/news/Notepad-updater-installed-malware-11109726.html
  -https://www.rapid7.com/blog/post/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit/
  -https://www.validin.com/blog/exploring_notepad_plus_plus_network_indicators/
  -https://securelist.com/notepad-supply-chain-attack/118708/
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Date: 2026-02-03
modified:None
Tags:

• -'attack.collection'
• -'attack.credential-access'
• -'attack.t1195.002'
• -'attack.initial-access'
• -'attack.t1557'

Logsource:

• category: process_creation
• product: windows

Detection:
  selection_parent:
    ParentImage|endswith: '\gup.exe'
  selection_child_img:
    Image|endswith:
      -'\cmd.exe'
      -'\powershell.exe'
      -'\pwsh.exe'
      -'\cscript.exe'
      -'\wscript.exe'
      -'\mshta.exe'

  selection_child_cli:
    CommandLine|contains:
      -'bitsadmin'
      -'certutil'
      -'curl'
      -'finger'
      -'forfiles'
      -'regsvr32'
      -'rundll32'
      -'wget'

  condition:selection_parent and 1 of selection_child_*
Falsepositives:
  -Unlikely
Level: high