Kaspersky Global Research and Analysis Team (GReAT) found that attackers behind the Notepad++ supply chain breach targeted organizations and individuals across several countries, including a government agency in the Philippines.
The cybersecurity company said the campaign also targeted a financial institution in El Salvador, an IT service provider in Vietnam, and individuals in three countries. Researchers discovered that the attackers used at least three separate infection chains, two of which have not been publicly disclosed before.
According to Kaspersky, the attackers changed their malware, command-and-control systems, and delivery techniques almost every month from July to October 2025. The only attack chain previously reported represents the last stage of a longer campaign.
“Defenders who checked their systems against the publicly known IoCs and found nothing should not assume they’re in the clear,” said Georgy Kucherin, senior security researcher at Kaspersky GReAT. “The July-September infrastructure was completely different, with different IPs, domains, and file hashes. And given how frequently these attackers rotated their tools, we cannot rule out the existence of additional, as-yet-undiscovered chains.”
Notepad++ developers disclosed on Feb. 2, 2026 that their update infrastructure was compromised following an incident involving a hosting provider. Earlier reports focused only on malware discovered in October 2025, which left many organizations unaware of earlier indicators of compromise (IoCs).
Kaspersky said each infection chain used different malicious IP addresses, domain names, execution methods, and payloads. Because of these differences, organizations that scanned their systems only for October indicators may have missed infections that happened earlier.
The company said its cybersecurity solutions, including Kaspersky Next, are able to detect all malware used in the campaign. Kaspersky also advised organizations to review their systems using updated threat intelligence and to monitor networks for suspicious activity linked to earlier attack stages.