It turned out there are many more payloads used in the Notepad++ attack! To stay undetected, its masterminds were COMPLETELY changing execution chains about every month.

Here are more IPs used in the attack:
45.76.155[.]202
45.32.144[.]255

Read below for many other IoCs! [1/8] After checking our telemetry, we identified malicious updates to be deployed on less than a dozen machines, including a government organization in the Philippines. We observed the first attack in July, with Metasploit used to deploy Cobalt Strike (C2 45.77.31[.]210) [2/n]

Imagine your #antivirus starts deploying malware after an update. This is exactly what happened with the eScan solution last week - the supply chain attack was discovered by @morphisec. We have analyzed the #malware used in this attack - and found lots of cool stuff! [1/7] Over the course of the malicious update, one of the components (RECORD.exe) of the eScan antivirus was overwritten with a malicious file, used for executing three PowerShell payloads - for tampering with the security solution, disabling AMSI and configuring persistence. [2/7]

A few weeks ago, I was responding to a cybersecurity incident - $500,000 have been stolen from a #blockchain developer. The infected operating system was freshly installed, and the victim was vigilant about cybersecurity. How could this happen? New supply chain attack? [1/6] After examining the developer's hard disk, I found out that the cause of the infection was an installed malicious extension for the Cursor AI IDE. It was supposed to highlight code written in Solidity, but in reality it acted as a malicious downloader. [2/6]