According to the researchers, if a user clicks on an advertisement to enter a website that distributes a malicious version of Notepad++, he or she will immediately notice inconsistencies: the URL contains vnote instead of Notepad++, and the application offered for download is a modified version of Notepad- (a branch of it) by a Chinese developer. Of the Windows, Linux, and macOS versions offered on the website, only the Linux and macOS versions contain malicious code. vnote's phishing site attempts to mimic the official website. If a user installs the malicious version of Notepad-, it tries to install a backdoor program that is supposed to come from the open source program Geacon.
