StrongPity Malware Spread Using Malicious Notepad++ Installers

The Advanced Persistent Threat (APT) known as StrongPity is distributing malware-laced Notepad++ installers to infect their victims.

#APT #StrongPity NotePad++ installer(npp.8.1.7.Installer.x64.exe)

— blackorbird (@blackorbird) November 30, 2021

The method is not new as this sophisticated cybercrime organization (also referred to as APT-C-41 or Promethium) was noticed delivering malicious WinRAR installers in highly targeted operations between 2016 and 2018.

In 2016, StrongPity was detected by Kaspersky in a campaign that targeted specific users in Belgium and Italy who were interested in Truecrypt and Winrar software. These APT groups’ campaigns are not commonly seen but different research groups have detected several StrongPity campaigns over the years.


The latest enticement involves Notepad++, a widely used free text and source code editor, and a Notepad replacement that supports several languages.

Because the malware ‘conceals’ itself inside a reputable program that is often available within companies, this attack technique is extremely effective.

The Attack Explained

In the early phase of the attack, the user downloads and runs the “Notepad++” setup file. The threat actor adds an Original Notepad++ icon to the malicious file in order to make it more convincing for the target.

As explained by BleepingComputer, once the malicious file is executed, it generates a new folder called “WindowsData” under C:ProgramDataMicrosoft and drops

Read More: