StrongPity Malware Spread Using Malicious Notepad++ Installers

StrongPity Malware Spread Using Malicious Notepad++ Installers

StrongPity, a skilled hacker gang, is disseminating malware-laced Notepad++ installations that infect targets. This hacker gang, also known as APT-C-41 and Promethium, was previously found delivering trojanized WinRAR installations in highly targeted attacks between 2016 and 2018.

Notepad++ is a popular free text and source code editor for Windows used by various companies. The modified installation was discovered by a security analyst known as ‘blackorbird,’ and the malware was reported by Minerva Labs. When you run the Notepad++ installation, it creates a folder called “Windows Data” beneath C:\ProgramData\Microsoft and dumps these three files:

  • npp.8.1.7.Installer.x64.exe – the original Notepad++ installation file under C:\Users\Username\AppData\Local\Temp\ folder

  • ntuis32.exe – malicious keylogger under C:\ProgramData\Microsoft\WindowsData folder

  • winpickr.exe – a malicious file under C:\Windows\System32 folder

The code editor’s installation proceeds normally, and the victim will not notice anything unusual that may raise suspicions. When the setup is complete, a new service named “PickerSrv” is established, which forms the malware’s persistence by executing it upon startup. This service runs malware’s keylogger component, ‘ntuis32.exe,’ as an overlapped window (using the WS MINIMIZEBOX style).

All user keystrokes are recorded by the keylogger and saved in secret system files dumped in the ‘C:\ProgramData\Microsoft\WindowsData’ folder. The malware can also steal files and other information from the computer. ‘winpickr.exe’ checks this folder regularly, and when a new log file is found, the component opens a C2 connection to send the stolen data to the attackers. The original log is erased when the transfer is complete to remove any indications of malicious behavior.

If you need to use Notepad++, download the installation from the project’s website. Many other websites provide the program, some of which pretend to be genuine Notepad++ portals but may contain adware or other undesirable applications. The laced installer’s distribution URL has been taken down after being discovered by analysts, but the perpetrators might swiftly register a new one.


Take the same precautions with whatever program you’re using, no matter how specialized it is, because skilled attackers are especially interested in unique software situations that are excellent for watering hole attacks. In this instance, employing up-to-date security tools is also critical because the odds of detection from an AV program on the system would be around 50%.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.