ClickCease Hackers Target Chinese With Notepad++ and Vnote Installers

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Hackers Target Chinese With Notepad++ and Vnote Installers

Wajahat Raja

March 28, 2024 - TuxCare expert team

In a recent revelation by cybersecurity experts at Kaspersky Labs, a concerning cyber threat has emerged targeting users of popular text editing software in China. This sophisticated attack involves the distribution of altered versions of well-known editors like Notepad++ and Vnote Installers, aimed at infiltrating users’ systems with harmful malware.


Notepad++ and Vnote Installers – The Deceptive Tactics


Employing a tactic known as “malvertising” alongside search engine manipulation, threat actors strategically place fake ads and manipulate search results. This cunning strategy redirects unsuspecting users searching for these text editors to malicious websites masquerading as official download pages.

A Kaspersky Labs researcher shedding light on the method employed by these attackers stated, “Using typosquatting and other techniques, the attackers tried to make their resources look as similar as possible to the official websites of popular programs. This time, a similar threat has affected users of one of the most popular search engines on the Chinese internet.”


Unveiling the Malicious Intent


Kaspersky Labs’ investigation has identified two fake software installers where advertisements and search results led users to download trojanized versions of these beloved text editors. For instance, a search for Notepad++ directed users to a deceptive site offering downloads of a variant named Notepad–, embedded with malware. 

Interestingly, while the Linux and macOS versions were infected, the Windows version remained unaffected. Similarly, users searching for VNote, another popular text editor, encountered a similar fate, indicating a shared approach between the two instances.


The Grim Consequences of Infection


Upon analysis of the compromised versions of Notepad– for Linux and macOS, Kaspersky Labs uncovered alarming modifications. The Notepad++ security concerns, posing as legitimate software, trigger a class named Uplocal before the application’s launch. This initiates the download and execution of a file from a malicious server, housing a backdoor identified as DPysMac64, akin to the notorious Geacon – a CobaltStrike agent clone.

This backdoor, tailored for both Linux and macOS, facilitates communication with its command and control server via HTTPS, hinting at a sophisticated network geared towards cyber espionage. Intriguingly, the attackers dubbed the project responsible for executing remote commands as “spacex.”

The Elusive Culprits Behind the Notepad++ and Vnote Installers Attack


Despite ongoing investigations, the identities of the malicious ads targeting Chinese users via Notepad++ and Vnote installers remain elusive. However, Kaspersky Labs’ findings point towards a meticulously organized and highly targeted campaign.

An intricate web of connections between entities distributing the infected applications was uncovered during Kaspersky Labs’ sleuthing. Notably, a suspicious About window in the modified Notepad– was linked to another clone site, further intertwining the narratives of the malicious VNote and Notepad– variants. 

This interconnectedness suggests a broad, coordinated effort to deploy a secondary infection stage through tampered applications. Protecting against malicious ads is crucial in safeguarding online security.


Defending Against Cyber Attacks Via Fake Installers


To safeguard against such cybersecurity threats in software downloads, users are advised to adhere to the best practices for cybersecurity:


  1. Stick to Trusted Sources – Always obtain software from official websites or reputable repositories to minimize the risk of encountering tainted versions.
  2. Vigilance is Key – Remain vigilant and watch out for inconsistencies such as typos, unusual URLs, and irregularities on download sites.
  3. Keep Security Software Updated – Regularly update your antivirus and firewall to detect and thwart potential malware in software downloads effectively.

Continued Investigation: Stay Informed

As Kaspersky Labs researchers continue to delve deeper into this cyber attack, ongoing updates and guidance will be provided to assist users in protecting themselves and their data.
Chinese users cybersecurity risks are increasing due to sophisticated cyberattacks. By remaining vigilant and informed, individuals can mitigate the risks posed by such sophisticated cyber threats.


In conclusion, the emergence of targeted cyber attacks underscores the importance of maintaining robust cybersecurity measures in the ever-evolving
Chinese internet security landscape. By adopting proactive security practices and staying informed about evolving threats, users can effectively safeguard themselves against malicious actors seeking to exploit Notepad++ and Vnote installer vulnerabilities for nefarious purposes.

The sources for this piece include articles in The Hacker News and SecurityOnline.


Hackers Target Chinese With Notepad++ and Vnote Installers
Article Name
Hackers Target Chinese With Notepad++ and Vnote Installers
Discover how Chinese users are falling victim to malicious ads offering fake Notepad++ and Vnote installers. Stay protected!
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter