Hackers Hijacked Notepad++ Plugin To Inject Malicious Code

Hackers have manipulated a popular Notepad++ plugin, injecting malicious code that compromises users’ systems upon execution.

The AhnLab Security Intelligence Center (ASEC) researchers have revealed that the “mimeTools.dll” plugin, which is widely used, was modified to carry out the attack.

Notepad++, a text and source code editor favored by programmers and writers for its versatility and plugin support, became an unwitting vehicle for cybercriminals.

Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Malicious vs Legitimate Package

The altered “mimeTools.dll” plugin, a default component of Notepad++, was discovered to be masquerading as a legitimate package, deceiving users into downloading and installing the compromised version.

official vs malicious Notepad

The mimeTools plugin, known for its encoding functionalities such as Base64, is automatically loaded when Notepad++ is launched. Attackers exploited this behavior using a technique known as DLL Hijacking.

When Notepad++.exe is launched, the “mimeTools.dll” file is automatically loaded, triggering the activation of the embedded malicious code, without any further user action.

Infection Flow

The attackers ingeniously added encrypted malicious Shell Code and the code to decrypt and execute it within the “mimeTools.dll” file.

ASEC’s investigation highlighted a file named “certificate.pem” within the altered package as the container of the malicious shell code.

Despite the manipulation, the plugin’s original functionalities remained intact, with only the DllEntryPoint code being altered. This stealthy approach ensures that the malicious activities commence the moment the DLL is loaded, unbeknownst to the user.

The execution flow of the malicious code begins with the launching of Notepad++ and the subsequent loading of the “mimeTools.dll.”

The DLL then decrypts and executes the Shell Code contained in the “certificate.pem” file, initiating the attack.

As cybercriminals continue to evolve their tactics, the cybersecurity community remains committed to uncovering and mitigating such threats, safeguarding users’ digital experiences.


File diagnosis
– Trojan/Win.WikiLoader.C5594131
– Trojan/Win.WikiLoader.R642896
– Trojan/Bin.ShellCode

– c4ac3b4ce7aa4ca1234d2d3787323de2 : package file(npp.8.6.3.portable.x64.zip)
– 6136ce65b22f59b9f8e564863820720b : mimeTools.dll
– fe4237ab7847f3c235406b9ac90ca8 45: certificate.pem
– d29f25c4b162f6a19d4c6b96a540648c: package file(npp.8.6.4.portable.x64.zip )
– 8b7a358005eff6c44d66e44f5b266d33 : mimeTools.dll
– d5ea5ad8678f362bac86875cad47ba21 : certificate.pem

– hxxps://car***************.com/wp-content/themes/twentytwentytwo/nnzknr.php?id=1
– hxxps://pro** ********.net/wp-content/themes/twentytwentythree/hyhnv3.php?id=1
– hxxps://www.era********.eu/wp-content/themes /twentytwentyfour/dqyzqp.php?id=1
– hxxps://www.mar**********.it/wp-content/themes/twentytwentyfour/c2hitq.php?id=1
– hxxps:/ /osa*******.com/wp-content/themes/twentytwentythree/ovqugo.php?id=1
– hxxps ://www.ala************.com/ wp-content/themes/twentytwentyfour/34uo7s.php?id=1
– hxxps://13*******.org/wp-content/themes/twentytwentythree/t51kkf.php?id=1
– hxxps:/ /alt**************.com/wp-content/themes/twentytwentyfour/c9wfar.php?id=1
– hxxps://www.am*******. com/wp-content/themes/twentyten/b9un4f.php?id=1
– hxxps://lu*******************.com/wp-content/themes /twentytwentytwo/pam8oa.php?id=1
– hxxps://www.yu*******.de/wp-content/themes/twentytwentytwo/n2gd2t.php?id=1

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.