Malicious Adverts Concentrating on Chinese language Customers with Faux Notepad++ and VNote Installers

Notepad++ and VNote Installers

Chinese language customers searching for professional software program resembling Notepad++ and VNote on search engines like google like Baidu are being focused with malicious adverts and bogus hyperlinks to distribute trojanized variations of the software program and finally deploy Geacon, a Golang-based implementation of Cobalt Strike.

“The malicious web site discovered within the notepad++ search is distributed via an commercial block,” Kaspersky researcher Sergey Puzan said.

“Opening it, an attentive person will instantly discover an amusing inconsistency: the web site deal with comprises the road vnote, the title provides a obtain of Notepad‐‐ (an analog of Notepad++, additionally distributed as open-source software program), whereas the picture proudly reveals Notepad++. The truth is, the packages downloaded from right here include Notepad‐‐.”


The web site, named vnote.fuwenkeji[.]cn, comprises obtain hyperlinks to Home windows, Linux, and macOS variations of the software program, with the hyperlink to the Home windows variant pointing to the official Gitee repository containing the Notepad– installer (“Notepad–v2.10.0-plugin-Installer.exe”).

The Linux and macOS variations, alternatively, result in malicious set up packages hosted on vnote-1321786806.cos.ap-hongkong.myqcloud[.]com.

Notepad++ and VNote Installers

In a similar way, the faux look-alike web sites for VNote (“vnote[.]data” and “vnotepad[.]com”) result in the identical set of myqcloud[.]com hyperlinks, on this case, additionally pointing to a Home windows installer hosted on the area. That stated, the hyperlinks to the doubtless malicious variations of VNote are now not lively.

An evaluation of the modified Notepad– installers reveals that they’re designed to retrieve a next-stage payload from a distant server, a backdoor that displays similarities with Geacon.


It is able to creating SSH connections, performing file operations, enumerating processes, accessing clipboard content material, executing information, importing and downloading information, taking screenshots, and even getting into into sleep mode. Command-and-control (C2) is facilitated by the use of HTTPS protocol.

The event comes as malvertising campaigns have additionally acted as a conduit for different malware resembling FakeBat (aka EugenLoader) malware with the assistance of MSIX installer information masquerading as Microsoft OneNote, Notion, and Trello.

Notify of
Inline Feedbacks
View all comments
Previous Post
Troutman Pepper Forms Incidents and Investigations Team

Purple Canary Publicizes Full Protection of All Main Cloud Suppliers

Next Post

Google Introduces Enhanced Actual-Time URL Safety for Chrome Customers

Related Posts