Skip to content

Threat actors exploit the Notepad++ plugin to deliver malware

  • by
  • 3 min read

A sophisticated malware campaign aimed at users of Notepad++, a widely used text editor, through a modified version of the ‘mimeTools.dll’ plugin. This discovery underscores the evolving tactics used by cybercriminals to infiltrate systems and execute malicious activities.

The research reveals the presence of a modified version of ‘mimeTools.dll,’ an integral plugin within Notepad++ used for various file operations, including Base64 encoding. This altered mimeTools.dll was discreetly inserted into a specific version of the Notepad ++ package, masquerading as a legitimate component.

The malware capitalises on the automatic loading feature of mimeTool.dll, which activates upon launching Notepad++, to execute its malicious code. This automatic execution means that users unknowingly trigger the malware simply by opening the Notepad++ application without directly interacting with the compromised plug-in.

The malware employs advanced techniques to evade detection by anti-malware solutions, including indirect syscall methods that manipulate syscall execution paths. This evasion tactic allows the malware to bypass traditional monitoring mechanisms, emphasising the need for proactive cybersecurity measures.

Attack flow. | Source: ASEC

Upon activation, the malicious mimeTools.dll employs a sophisticated shellcode decryption and execution process. By leveraging modules such as Crypt32.dll and BCrypt.dll, the malware transforms encoded data into executable shell code within the system’s memory, evading standard security protocols.

The impact of the malware extends beyond Notepadd++, as it modifies critical system processes like explorer.exe and DLLs like BingMaps.dll. This modification enables the malware to propagate, overwrite code segments, and execute additional malicious payloads, thereby launching multifaceted attacks.

“The GetBingMapsFactory() function in BingMaps.dll was overwritten with a shellcode in the previous step. The function that began with a new thread has a process for checking analysis environments such as VM to terminate the process. It is also responsible for injecting a thread into explorer.exe,” said the researchers.

C2 server page resembling a fake WordPress website. | Source: ASEC

Furthermore, the malware establishes connections with Command and Control (C2) servers, enabling threat actors to remotely control compromised systems, download additional malicious content, and execute commands, posing a significant threat to the user data and system integrity.

The design of the C2 server’s interface imitates legitimate websites, creating a deceptive layer that masks the malicious activities taking place.

“The C2 being accessed was designed to look like the WordPress login page at the time of analysis. When the malware strain was first being distributed, the C2 had the appearance of a Wiki website and was named WikiLoader,” noted the researchers.

The researchers have cautioned users to download the software only from official websites and follow cybersecurity best practices to protect themselves from such harmful malware.

In the News: Google Pixel 9 lineup: Leaks, rumours and everything in between

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: