{"id":173115,"date":"2026-02-11T07:44:41","date_gmt":"2026-02-11T15:44:41","guid":{"rendered":"https:\/\/unit42.paloaltonetworks.com\/?p=173115"},"modified":"2026-02-17T08:22:18","modified_gmt":"2026-02-17T16:22:18","slug":"notepad-infrastructure-compromise","status":"publish","type":"post","link":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/notepad-infrastructure-compromise\/","title":{"rendered":"Atores de Estado-Na\u00e7\u00e3o Exploram a Cadeia de Suprimentos do Notepad++"},"content":{"rendered":"<h2>Resumo Executivo<\/h2>\n<p>Entre junho e dezembro de 2025, a infraestrutura oficial de hospedagem do editor de texto<a href=\"https:\/\/notepad-plus-plus.org\/news\/hijacked-incident-info-update\/\" target=\"_blank\" rel=\"noopener\"> Notepad++ foi comprometida<\/a> por um grupo de amea\u00e7as patrocinado por um Estado, conhecido como<a href=\"https:\/\/www.rapid7.com\/blog\/post\/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit\/\" target=\"_blank\" rel=\"noopener\"> Lotus Blossom<\/a>. Os invasores invadiram o ambiente do provedor de hospedagem compartilhada.<\/p>\n<p>Isso permitiu que os atacantes interceptassem e redirecionassem o tr\u00e1fego destinado ao servidor de atualiza\u00e7\u00e3o do Notepad++. Esse sequestro em n\u00edvel de infraestrutura permitiu que os invasores visassem seletivamente usu\u00e1rios espec\u00edficos. Os alvos estavam localizados principalmente no sudeste asi\u00e1tico, abrangendo os setores governamental, de telecomunica\u00e7\u00f5es e de infraestrutura cr\u00edtica. Os atacantes serviram a esses alvos manifestos de atualiza\u00e7\u00e3o maliciosos em vez de atualiza\u00e7\u00f5es de software leg\u00edtimas.<\/p>\n<p>Identificamos infraestrutura adicional n\u00e3o reportada anteriormente, que est\u00e1 vinculada a esta campanha. Observamos duas cadeias de infec\u00e7\u00e3o, incluindo uma variante de inje\u00e7\u00e3o de script Lua que resultou na entrega do beacon do malware Cobalt Strike, bem como DLL side-loading para entregar um backdoor Chrysalis. A Unit 42 tamb\u00e9m descobriu que essa atividade de amea\u00e7a est\u00e1 visando mais setores e mais regi\u00f5es do que o relatado anteriormente.<\/p>\n<p>Esta campanha tamb\u00e9m afetou os seguintes setores na Am\u00e9rica do Sul, nos EUA, na Europa e no Sudeste Asi\u00e1tico:<\/p>\n<ul>\n<li>Hospedagem em nuvem (Cloud hosting)<\/li>\n<li>Energia<\/li>\n<li>Financeiro<\/li>\n<li>Governo<\/li>\n<li>Manufatura<\/li>\n<li>Desenvolvimento de software<\/li>\n<\/ul>\n<p>O Notepad++ \u00e9 um editor de c\u00f3digo de c\u00f3digo aberto, leve, e utilit\u00e1rio de substitui\u00e7\u00e3o de texto. Esta ferramenta \u00e9 amplamente favorecida por sua velocidade, extenso ecossistema de plugins e capacidade \u00fanica de lidar com arquivos de dados massivos, mantendo sess\u00f5es que os usu\u00e1rios ainda n\u00e3o salvaram.<\/p>\n<p>Em ambientes corporativos, o Notepad++ geralmente serve como um instrumento fundamental para administradores de sistemas, engenheiros de rede e pessoal de DevOps. Esses profissionais costumam usar essa ferramenta para modificar configura\u00e7\u00f5es de servidor, analisar logs pesados de sistema e auditar c\u00f3digos em jump boxes seguras, onde aplica\u00e7\u00f5es mais pesadas s\u00e3o impratic\u00e1veis.<\/p>\n<p>Este perfil demogr\u00e1fico espec\u00edfico de usu\u00e1rios torna o Notepad++ um alvo estrategicamente cr\u00edtico para os atores de amea\u00e7as. Comprometer essa \u00fanica ferramenta permite que os invasores contornem efetivamente as defesas de per\u00edmetro e peguem carona nas sess\u00f5es dos usu\u00e1rios mais privilegiados da organiza\u00e7\u00e3o, obtendo acesso administrativo impl\u00edcito \u00e0 infraestrutura central da rede.<\/p>\n<p>Os clientes da Palo Alto Networks recebem prote\u00e7\u00f5es e mitiga\u00e7\u00f5es para a atividade discutida neste artigo das seguintes formas:<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/10-1\/pan-os-new-features\/url-filtering-features\/advanced-url-filtering\" target=\"_blank\" rel=\"noopener\">Advanced URL Filtering<\/a> e<a href=\"https:\/\/docs.paloaltonetworks.com\/dns-security\" target=\"_blank\" rel=\"noopener\"> Advanced DNS Security<\/a> identificam URLs e dom\u00ednios conhecidos associados a esta atividade como maliciosos<\/li>\n<li>Os modelos de machine learning e t\u00e9cnicas de an\u00e1lise do<a href=\"https:\/\/docs.paloaltonetworks.com\/wildfire\" target=\"_blank\" rel=\"noopener\"> Advanced WildFire<\/a> foram revisados e atualizados \u00e0 luz dos indicadores compartilhados nesta pesquisa.<\/li>\n<li><a href=\"https:\/\/www.paloaltonetworks.com\/cortex\/cloud\" target=\"_blank\" rel=\"noopener\">Cortex Cloud<\/a> ajuda a detectar e prevenir as opera\u00e7\u00f5es maliciosas ou altera\u00e7\u00f5es de configura\u00e7\u00e3o ou explora\u00e7\u00f5es discutidas neste artigo<\/li>\n<li><a href=\"https:\/\/www.paloaltonetworks.com\/cortex\/cortex-xdr?_gl=1*13pmp8e*_ga*NzQyNjM2NzkuMTY2NjY3OTczNw..*_ga_KS2MELEEFC*MTY2OTczNjA2MS4zMS4wLjE2Njk3MzYwNjEuNjAuMC4w\" target=\"_blank\" rel=\"noopener\">Cortex XDR<\/a> e<a href=\"https:\/\/www.paloaltonetworks.com\/resources\/datasheets\/cortex-xsiam-aag\" target=\"_blank\" rel=\"noopener\"> XSIAM<\/a> empregando o<a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/r\/Cortex-XDR\/Cortex-XDR-4.x-Documentation\/Malware-protection\" target=\"_blank\" rel=\"noopener\"> Malware Prevention Engine<\/a><\/li>\n<li><a href=\"https:\/\/docs.paloaltonetworks.com\/ngfw\" target=\"_blank\" rel=\"noopener\">Next-Generation Firewall<\/a> com o<a href=\"https:\/\/docs.paloaltonetworks.com\/advanced-threat-prevention\/administration\" target=\"_blank\" rel=\"noopener\"> Advanced Threat Prevention<\/a> projetado para defender redes contra amea\u00e7as comuns e amea\u00e7as direcionadas.<\/li>\n<\/ul>\n<p>A<a href=\"https:\/\/start.paloaltonetworks.com\/contact-unit42.html\" target=\"_blank\" rel=\"noopener\"> equipe de Resposta a Incidentes da Unit 42<\/a> tamb\u00e9m pode ser acionada para ajudar com um comprometimento ou para fornecer uma avalia\u00e7\u00e3o proativa para reduzir seu risco.<\/p>\n<table style=\"width: 96.2097%;\">\n<thead>\n<tr>\n<td style=\"width: 35%;\"><b>T\u00f3picos Relacionados da Unit 42<\/b><\/td>\n<td style=\"width: 154.069%;\"><a href=\"https:\/\/unit42.paloaltonetworks.com\/pt-br\/tag\/dll-sideloading\/\" target=\"_blank\" rel=\"noopener\"><b>DLL Sideloading<\/b><\/a>, <a href=\"https:\/\/unit42.paloaltonetworks.com\/pt-br\/tag\/backdoor\/\" target=\"_blank\" rel=\"noopener\"><b>Backdoors<\/b><\/a>,<a href=\"https:\/\/unit42.paloaltonetworks.com\/pt-br\/tag\/supply-chain\/\" target=\"_blank\" rel=\"noopener\"><strong> Cadeia de Suprimentos (Supply Chain)<\/strong><\/a>, <strong><a href=\"https:\/\/unit42.paloaltonetworks.com\/pt-br\/tag\/cobalt-strike\/\" target=\"_blank\" rel=\"noopener\">Cobalt Strike<\/a><\/strong><\/td>\n<\/tr>\n<\/thead>\n<\/table>\n<h2>Detalhes do Ataque ao Notepad++<\/h2>\n<p>Este ataque \u00e0 cadeia de suprimentos baseou-se na explora\u00e7\u00e3o de controles de verifica\u00e7\u00e3o insuficientes em vers\u00f5es mais antigas do atualizador do Notepad++, o<a href=\"https:\/\/wingup.org\/\" target=\"_blank\" rel=\"noopener\"> WinGUp<\/a>. Esta explora\u00e7\u00e3o permitiu ao grupo de amea\u00e7a redirecionar o tr\u00e1fego para servidores controlados pelos atacantes.<\/p>\n<p>Quando as v\u00edtimas alvo tentavam atualizar seu software, baixavam um instalador NSIS malicioso. Este instalador \u2014 frequentemente nomeado como<span style=\"font-family: 'courier new', courier, monospace;\"> update.exe<\/span> \u2014 iniciava uma cadeia de infec\u00e7\u00e3o complexa. Esta cadeia utilizava t\u00e9cnicas de DLL sideloading e fazia uso indevido de um componente leg\u00edtimo da Bitdefender (<span style=\"font-family: 'courier new', courier, monospace;\">BluetoothService.exe<\/span>) para carregar uma biblioteca maliciosa (<span style=\"font-family: 'courier new', courier, monospace;\">log.dll<\/span>) que desencriptava e executava um backdoor personalizado. Em outra cadeia de infec\u00e7\u00e3o, os atacantes<a href=\"https:\/\/securelist.com\/notepad-supply-chain-attack\/118708\/\" target=\"_blank\" rel=\"noopener\"> utilizaram<\/a> um instalador NSIS para executar um comando que rodava um script Lua malicioso para carregar o Beacon do Cobalt Strike.<\/p>\n<p>Este malware, chamado<a href=\"https:\/\/www.rapid7.com\/blog\/post\/tr-chrysalis-backdoor-dive-into-lotus-blossoms-toolkit\/\" target=\"_blank\" rel=\"noopener\"> Chrysalis<\/a>, empregava t\u00e9cnicas avan\u00e7adas de evas\u00e3o. Estas inclu\u00edam:<\/p>\n<ul>\n<li>Uso do framework de prote\u00e7\u00e3o de c\u00f3digo Microsoft<a href=\"https:\/\/websec.net\/blog\/a-deep-dive-into-microsoft-warbird-mss-kernel-mode-dynamic-packer-68ee2c87b251081f55ec8c31\" target=\"_blank\" rel=\"noopener\"> Warbird<\/a><\/li>\n<li>Hashing de API personalizado para reduzir a detec\u00e7\u00e3o por antiv\u00edrus<\/li>\n<li>Estabelecimento de controle remoto persistente sobre os sistemas infectados<\/li>\n<\/ul>\n<p>Atividade Adicional de Explora\u00e7\u00e3o nesta Campanha<\/p>\n<p>A Unit 42 observou evid\u00eancias de duas sequ\u00eancias de ataque separadas:<\/p>\n<ul>\n<li>Uma na qual um instalador NSIS malicioso solta (drops) um script Lua compilado contendo um instalador para baixar e executar um payload de Beacon do Cobalt Strike<\/li>\n<li>Outra na qual os atacantes usaram DLL side-loading para injetar o backdoor Chrysalis na mem\u00f3ria<\/li>\n<\/ul>\n<p>Observamos atividades adicionais datadas entre meados de agosto e novembro de 2025 que eram consistentes com esta atividade de explora\u00e7\u00e3o. Em um incidente de agosto, observamos a comunica\u00e7\u00e3o com um endere\u00e7o IP de comando e controle (C2) <span style=\"font-family: 'courier new', courier, monospace;\">45.76.155[.]202<\/span>. Ap\u00f3s dias de tr\u00e1fego de beacon C2 para este endere\u00e7o IP, os atacantes mudaram para um segundo servidor C2 em <span style=\"font-family: 'courier new', courier, monospace;\">45.77.31[.]210<\/span>, com a comunica\u00e7\u00e3o durando at\u00e9 setembro.<\/p>\n<p>Em casos entre setembro e novembro de 2025, observamos atividade consistente com conex\u00f5es de sa\u00edda para um servidor C2. Estas foram seguidas por solicita\u00e7\u00f5es de download subsequentes para <span style=\"font-family: 'courier new', courier, monospace;\">update.exe<\/span> que s\u00e3o consistentes com o backdoor Chrysalis relatado. Em alguns casos, as tentativas de download foram feitas para um endere\u00e7o IP, enquanto outras foram feitas para dom\u00ednios. Beacons bem-sucedidos para servidores maliciosos ocorreram segundos ap\u00f3s o download bem-sucedido do payload malicioso e continuaram por um per\u00edodo de tempo n\u00e3o especificado.<\/p>\n<p>Em setembro e outubro de 2025, observamos uma variante de inje\u00e7\u00e3o de script Lua implantando scripts Lua maliciosos para injetar shellcode. Este ataque usou a API <span style=\"font-family: 'courier new', courier, monospace;\">EnumWindowStationsW<\/span> e resultou na entrega do beacon do malware Cobalt Strike. Neste caso, o download originou-se de:<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">45.76.155[.]202\/update\/update.exe<\/span><\/li>\n<\/ul>\n<p>Separadamente, tamb\u00e9m observamos uma variante de DLL sideloading de Bluetooth no mesmo caso. Esta variante Lua usa t\u00e9cnicas de DLL sideloading do servi\u00e7o de Bluetooth para implantar o backdoor Chrysalis. Tentativas de download para esta variante foram feitas de um servidor malicioso diferente:<\/p>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">45.32.144[.]255\/update\/update.exe<\/span><\/li>\n<\/ul>\n<h2>Orienta\u00e7\u00e3o Provis\u00f3ria<\/h2>\n<p>O<a href=\"https:\/\/notepad-plus-plus.org\/news\/hijacked-incident-info-update\/\" target=\"_blank\" rel=\"noopener\"> Notepad++ recomenda<\/a> o seguinte:<\/p>\n<ul>\n<li>Baixar a vers\u00e3o 8.9.1, que inclui a melhoria de seguran\u00e7a relevante<\/li>\n<li>Executar o instalador para atualizar seu Notepad++ manualmente<\/li>\n<\/ul>\n<p>De acordo com o Notepad++, eles migraram seu site para um novo provedor de hospedagem com pr\u00e1ticas de seguran\u00e7a significativamente mais robustas.<\/p>\n<p>Dentro do pr\u00f3prio Notepad++, eles aprimoraram o atualizador WinGup na v8.8.9 para verificar tanto o certificado quanto a assinatura do instalador baixado.<\/p>\n<p>Al\u00e9m disso, eles tamb\u00e9m observam:<\/p>\n<ul>\n<li>O XML retornado pelo servidor de atualiza\u00e7\u00e3o agora \u00e9 assinado (XMLDSig)<\/li>\n<li>A verifica\u00e7\u00e3o de certificado e assinatura ser\u00e1 obrigat\u00f3ria a partir da pr\u00f3xima vers\u00e3o 8.9.2, que esperam lan\u00e7ar em cerca de um m\u00eas<\/li>\n<\/ul>\n<h2>Consultas de Managed Threat Hunting da Unit 42<\/h2>\n<p>A equipe de Managed Threat Hunting da Unit 42 continua rastreando quaisquer sinais de uso indevido ou atividade an\u00f4mala, usando o Cortex XDR e as consultas XQL abaixo. Clientes do Cortex XDR tamb\u00e9m podem usar estas consultas XQL para auxiliar em suas investiga\u00e7\u00f5es ou ca\u00e7a de amea\u00e7as (hunting).<\/p>\n<p>Como a maioria da atividade provavelmente ocorreu antes de 2 de dezembro, recomendamos revisar os limites de reten\u00e7\u00e3o de dados para determinar se estas consultas ser\u00e3o eficazes em seu ambiente. Se dispon\u00edvel em seu ambiente, voc\u00ea pode considerar o uso de consultas de \"armazenamento frio\" (cold_dataset = xdr_data) para consultar dados al\u00e9m dos limites de reten\u00e7\u00e3o a quente. Observe que a execu\u00e7\u00e3o de consultas contra o armazenamento frio consumir\u00e1 unidades de computa\u00e7\u00e3o.<\/p>\n<pre class=\"lang:default decode:true\">\/\/ Name: DLL sideloading via BYO application\r\n\r\n\/\/ Description: Identifies renamed Bitdefender utility loading a log.dll file\r\n\r\n\/\/ MITRE TTP ID: T1574.001\r\n\r\nconfig case_sensitive = false\r\n\r\n| dataset = xdr_data\r\n\r\n| fields actor_process_signature_vendor, actor_process_signature_product, action_module_path, actor_process_image_path, actor_process_image_sha256, agent_os_type, event_type, event_id, agent_hostname, _time, actor_process_image_name\r\n\r\n| filter event_type = ENUM.LOAD_IMAGE and agent_os_type = ENUM.AGENT_OS_WINDOWS\r\n\r\n| filter actor_process_signature_vendor contains \"Bitdefender SRL\" and action_module_path contains \"log.dll\"\r\n\r\n| filter actor_process_image_path not contains \"Program Files\\Bitdefender\"\r\n\r\n| filter not actor_process_image_name in (\"eps.rmm64.exe\", \"downloader.exe\", \"installer.exe\", \"epconsole.exe\", \"EPHost.exe\", \"epintegrationservice.exe\", \"EPPowerConsole.exe\", \"epprotectedservice.exe\", \"DiscoverySrv.exe\", \"epsecurityservice.exe\", \"EPSecurityService.exe\", \"epupdateservice.exe\", \"testinitsigs.exe\", \"EPHost.Integrity.exe\", \"WatchDog.exe\", \"ProductAgentService.exe\", \"EPLowPrivilegeWorker.exe\", \"Product.Configuration.Tool.exe\", \"eps.rmm.exe\")<\/pre>\n<pre class=\"lang:default decode:true\">\/\/ Name: Chrysalis Mutex\r\n\r\n\/\/ Description: Identifies a Mutex known to be related to the chrysalis backdoor malware\r\n\r\n\/\/ MITRE TTP ID: T1480.002\r\n\r\nconfig case_sensitive = false\r\n\r\n| dataset = xdr_data\r\n\r\n| fields _time, agent_hostname, actor_effective_username, actor_process_image_name, actor_process_image_path, actor_process_command_line, event_type, event_sub_type, action_syscall_string_params\r\n\r\n| filter event_type = ENUM.SYSTEM_CALL and event_sub_type = ENUM.SYSTEM_CALL_NT_CREATE_MUTANT\r\n\r\n| alter mutex = json_extract_scalar(action_syscall_string_params, \"$.1\")\r\n\r\n| filter mutex = \"Global\\\\Jdhfv_1.0.1\"<\/pre>\n<pre class=\"lang:default decode:true\">\/\/ Name: GUP.exe Writing Unusual Files to Temp Folder\r\n\r\n\/\/ Description: Detects cases where the Notepad++ updater (gup.exe) writes files to a temp folder that that deviate from the normal and expected.\r\n\r\n\/\/ MITRE TTP ID: T1036.005\r\n\r\nconfig case_sensitive = false\r\n\r\n| dataset = xdr_data\r\n\r\n| fields _time, agent_hostname, event_type, event_sub_type, action_file_name, action_file_path, actor_effective_username, action_file_extension, action_file_previous_file_path, action_file_sha256, action_file_size, actor_process_image_name, actor_process_image_path, actor_process_command_line, actor_process_image_sha256, causality_actor_process_image_name, causality_actor_process_image_path, os_actor_primary_username, os_actor_process_command_line, os_actor_process_image_name, os_actor_process_image_path, agent_os_type\r\n\r\n| filter event_type = ENUM.FILE and event_sub_type = ENUM.FILE_WRITE\r\n\r\n| filter lowercase(actor_process_image_name) = \"gup.exe\" and action_file_sha256 != null\r\n\r\n| filter lowercase(actor_process_command_line) !~= \"((\\\\notepad\\+\\+(?:_?x?\\d+?)??|\\\\nppp?[\\.\\d]*?(?:portable)??(?:\\.x64)??).*?\\\\plugins|-ihttps:\\\/\\\/notepad-plus-plus\\.org\\\/update\\\/getdownloadurl\\.php)\" and lowercase(action_file_path) ~= \"(\\\\appdata\\\\local\\\\temp\\\\|\\\\windows\\\\temp)\" and lowercase(action_file_name) !~= \"(npp[\\.\\d]+?installer)\"\r\n\r\n| sort desc _time<\/pre>\n<pre class=\"lang:default decode:true\">\/\/ Name: GUP.exe Downloading Improperly Signed Installer\r\n\r\n\/\/ MITRE TTP ID: T1036.001\r\n\r\nconfig case_sensitive = false\r\n\r\n| dataset = xdr_data\r\n\r\n| fields _time, agent_hostname, event_type, event_sub_type, action_process_username, action_process_user_sid, action_process_image_name, action_process_image_path, action_process_image_command_line, action_process_image_sha256, action_process_os_pid, action_process_cwd, action_process_file_info, action_process_file_size, action_process_file_web_mark, action_process_signature_vendor, action_process_signature_product, action_process_signature_status, actor_effective_username, actor_effective_user_sid, actor_process_image_name, actor_process_image_path, actor_process_command_line, actor_process_signature_vendor, actor_process_signature_product, actor_process_signature_status, causality_actor_primary_username, causality_actor_process_image_name, causality_actor_process_image_path, causality_actor_process_command_line, os_actor_primary_username, os_actor_process_image_name, os_actor_process_image_path, os_actor_process_image_command_line, os_actor_process_image_sha256, action_process_instance_id, actor_process_instance_id, causality_actor_process_instance_id, agent_os_type, agent_id\r\n\r\n| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START and _product = \"XDR agent\" and _vendor = \"PANW\"\r\n\r\n| filter lowercase(actor_process_image_name) = \"gup.exe\" and actor_process_signature_status not in (null, ENUM.UNSUPPORTED, ENUM.FAILED_TO_OBTAIN ) and action_process_signature_status not in (null, ENUM.UNSUPPORTED, ENUM.FAILED_TO_OBTAIN ) and action_process_image_sha256 not in ( \"71431fa7b66f8132453e18e3a5f8ef0af3ca079a7793f828df06fdb5d7bd915d\", \"2dd5473736ef51e4340cae005e3fc8cdf0e42ec649bc6ed186484a79be409928\", \"a19aa1cd7ecb9ca3f1fd0e118fffd0d673fba404ced8c39c2e210a63b70f9c15\", \"e22abc9af328d063e652f0829819124a6a748c224bc8b10f98473f87cda2c0cd\", \"61c3077b989e272117167c90fc35e7f06bea4f992f3395b40ccee083d7258082\", \"49d2531893b09cb6a8e3429ca0a734e871a2d96fa2575c0eec3229d383fa233a\", \"32aa12d3c9521477a5a1e086e400ec0f77f8a97a8190806a0f1953688b883cfb\", \"8117c82a3821965d92ee3f9f3ae10efcd602bd4b6e52a2fe957d70aafe479744\", \"05abc57952974d08feafa399d6fdb37945a3fd0a10f37833dd837a5788e421d5\", \"c6d1e5aacbf69aa18df4caf1346fd69638491a5ad0085729bae91c662d1c62bb\", \"e1df78704001bba1a3d343f62a1242a4484ff6ad269170714263c03b802eb0b1\", \"7094a07167648628e47249a16d9d6db922e5aa1255ac4322a2e4900d233372dd\" )\r\n\r\n| filter lowercase(action_process_image_name) ~= \"(npp[\\.\\d]+?installer)\"\r\n\r\n| dedup agent_id by desc _time\r\n\r\n| filter action_process_signature_status != ENUM.SIGNED or lowercase(action_process_signature_vendor) != \"notepad++\"\r\n\r\n| sort desc _time<\/pre>\n<pre class=\"lang:default decode:true\">\/\/ Name: GUP.exe Spawning Unusual Subprocesses\r\n\r\n\/\/ Description: Detects cases where the Notepad++ updater (gup.exe) spawns child processes that deviate from the normal and expected.\r\n\r\n\/\/ MITRE TTP ID: T1202\r\n\r\nconfig case_sensitive = false\r\n\r\n| dataset = xdr_data\r\n\r\n| fields _time, agent_hostname, event_type, event_sub_type, action_process_username, action_process_user_sid, action_process_image_name, action_process_image_path, action_process_image_command_line, action_process_image_sha256, action_process_os_pid, action_process_cwd, action_process_file_info, action_process_file_size, action_process_file_web_mark, action_process_signature_vendor, action_process_signature_product, action_process_signature_status, actor_effective_username, actor_effective_user_sid, actor_process_image_name, actor_process_image_path, actor_process_command_line, actor_process_signature_vendor, actor_process_signature_product, actor_process_signature_status, causality_actor_primary_username, causality_actor_process_image_name, causality_actor_process_image_path, causality_actor_process_command_line, os_actor_primary_username, os_actor_process_image_name, os_actor_process_image_path, os_actor_process_image_command_line, os_actor_process_image_sha256, action_process_instance_id, actor_process_instance_id, causality_actor_process_instance_id, agent_os_type, agent_id\r\n\r\n| filter event_type = ENUM.PROCESS and event_sub_type = ENUM.PROCESS_START\r\n\r\n| filter lowercase(actor_process_image_name) = \"gup.exe\"\r\n\r\n| filter lowercase(action_process_image_name) !~= \"(npp[\\.\\d]+?installer|consent\\.exe|explorer\\.exe|werfault\\.exe|smartscreen\\.exe|adminbyrequest\\.exe|openwith\\.exe)\" and lowercase(action_process_image_command_line) !~= \"(https:\\\/\\\/notepad-plus-plus\\.org\\\/|https:\\\/\\\/npp-user-manual\\.org\\\/)\" and lowercase(actor_process_command_line) !~= \"(\\\\notepad\\+\\+\\\\plugins|https:\\\/\\\/notepad-plus-plus\\.org\\\/)\"\r\n\r\n| sort desc _time<\/pre>\n<h2>Conclus\u00e3o<\/h2>\n<p>Esta campanha marca uma evolu\u00e7\u00e3o not\u00e1vel no tradecraft operacional de atores de amea\u00e7as deste tipo, representando um piv\u00f4 do pr\u00e9-posicionamento amplo de infraestrutura para uma interdi\u00e7\u00e3o de cadeia de suprimentos \"suave\" e altamente direcionada. Campanhas recentes de grupos como Volt Typhoon e Salt Typhoon concentraram-se principalmente em comprometer backbone de infraestruturas cr\u00edticas e dispositivos de borda, baseando-se em t\u00e9cnicas de living-off-the-land e malware m\u00ednimo. Esta opera\u00e7\u00e3o, em vez disso, ilumina uma prioridade estrat\u00e9gica distinta de focar em detentores de chaves administrativas.<\/p>\n<p>Sequestrar o fluxo de tr\u00e1fego de um utilit\u00e1rio confi\u00e1vel em vez de injetar c\u00f3digo no pipeline de constru\u00e7\u00e3o do software permitiu que os atores de amea\u00e7as armassem seu mecanismo de entrega sem alertar o fornecedor. Esta capacidade de adversary-in-the-middle (AitM) permitiu a identifica\u00e7\u00e3o din\u00e2mica (fingerprinting) de solicita\u00e7\u00f5es de atualiza\u00e7\u00e3o recebidas, possibilitando uma filtragem altamente seletiva de alvos priorit\u00e1rios.<\/p>\n<p>Esta campanha n\u00e3o est\u00e1 focada em interrup\u00e7\u00e3o, mas em intelig\u00eancia valiosa de longo prazo. Isso \u00e9 ilustrado pela combina\u00e7\u00e3o da vitimologia seletiva do ator de amea\u00e7a \u2014 focada em administradores de sistemas e desenvolvedores em muitas regi\u00f5es geopoliticamente estrat\u00e9gicas \u2014 e sua escolha de usar um backdoor leve e de baixo perfil.<\/p>\n<p>A Palo Alto Networks compartilhou nossas descobertas com nossos colegas membros da Cyber Threat Alliance (CTA). Os membros da CTA usam esta intelig\u00eancia para implantar prote\u00e7\u00f5es rapidamente para seus clientes e para interromper sistematicamente atores cibern\u00e9ticos maliciosos. Saiba mais sobre a<a href=\"https:\/\/www.cyberthreatalliance.org\/\" target=\"_blank\" rel=\"noopener\"> Cyber Threat Alliance<\/a>.<\/p>\n<p>Os clientes da Palo Alto Networks est\u00e3o melhor protegidos por nossos produtos, conforme listado abaixo. Atualizaremos este threat brief \u00e0 medida que mais informa\u00e7\u00f5es relevantes estiverem dispon\u00edveis.<\/p>\n<h2>Prote\u00e7\u00f5es de Produtos Palo Alto Networks<\/h2>\n<p>Os clientes da Palo Alto Networks podem aproveitar uma variedade de prote\u00e7\u00f5es e atualiza\u00e7\u00f5es de produtos para identificar e se defender contra esta amea\u00e7a.<\/p>\n<p>Se voc\u00ea acredita que pode ter sido comprometido ou tem um assunto urgente, entre em contato com a<a href=\"https:\/\/start.paloaltonetworks.com\/contact-unit42.html\" target=\"_blank\" rel=\"noopener\"> equipe de Resposta a Incidentes da Unit 42<\/a> ou ligue:<\/p>\n<ul>\n<li>Am\u00e9rica do Norte: Liga\u00e7\u00e3o Gratuita: +1 (866) 486-4842 (866.4.UNIT42)<\/li>\n<li>Reino Unido: +44.20.3743.3660<\/li>\n<li>Europa e Oriente M\u00e9dio: +31.20.299.3130<\/li>\n<li>\u00c1sia: +65.6983.8730<\/li>\n<li>Jap\u00e3o: +81.50.1790.0200<\/li>\n<li>Austr\u00e1lia: +61.2.4062.7950<\/li>\n<li>\u00cdndia: 000 800 050 45107<\/li>\n<li>Coreia do Sul: +82.080.467.8774<\/li>\n<\/ul>\n<h3>Advanced WildFire<\/h3>\n<p>Os modelos de machine learning e t\u00e9cnicas de an\u00e1lise do<a href=\"https:\/\/docs.paloaltonetworks.com\/wildfire\" target=\"_blank\" rel=\"noopener\"> Advanced WildFire<\/a> foram revisados e atualizados \u00e0 luz dos indicadores compartilhados nesta pesquisa.<\/p>\n<h3>Next-Generation Firewalls com Advanced Threat Prevention<\/h3>\n<p>O<a href=\"https:\/\/docs.paloaltonetworks.com\/ngfw\" target=\"_blank\" rel=\"noopener\"> Next-Generation Firewall<\/a> com<a href=\"https:\/\/docs.paloaltonetworks.com\/advanced-threat-prevention\/administration\" target=\"_blank\" rel=\"noopener\"> Advanced Threat Prevention<\/a> \u00e9 projetado para defender redes contra amea\u00e7as comuns e amea\u00e7as direcionadas.<\/p>\n<h3>Servi\u00e7os de Seguran\u00e7a Entregues na Nuvem para o Next-Generation Firewall<\/h3>\n<p>O<a href=\"https:\/\/docs.paloaltonetworks.com\/pan-os\/10-1\/pan-os-new-features\/url-filtering-features\/advanced-url-filtering\" target=\"_blank\" rel=\"noopener\"> Advanced URL Filtering<\/a> e o<a href=\"https:\/\/docs.paloaltonetworks.com\/dns-security\" target=\"_blank\" rel=\"noopener\"> Advanced DNS Security<\/a> identificam URLs e dom\u00ednios conhecidos associados a esta atividade como maliciosos.<\/p>\n<h3>Cortex XDR e XSIAM<\/h3>\n<p>O<a href=\"https:\/\/www.paloaltonetworks.com\/cortex\/cortex-xdr?_gl=1*13pmp8e*_ga*NzQyNjM2NzkuMTY2NjY3OTczNw..*_ga_KS2MELEEFC*MTY2OTczNjA2MS4zMS4wLjE2Njk3MzYwNjEuNjAuMC4w\" target=\"_blank\" rel=\"noopener\"> Cortex XDR<\/a> e o<a href=\"https:\/\/www.paloaltonetworks.com\/resources\/datasheets\/cortex-xsiam-aag\" target=\"_blank\" rel=\"noopener\"> XSIAM<\/a> ajudam a prevenir as amea\u00e7as descritas neste artigo empregando o<a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/r\/Cortex-XDR\/Cortex-XDR-4.x-Documentation\/Malware-protection\" target=\"_blank\" rel=\"noopener\"> Malware Prevention Engine<\/a>. Esta abordagem combina v\u00e1rias camadas de prote\u00e7\u00e3o, incluindo<a href=\"https:\/\/docs.paloaltonetworks.com\/wildfire\" target=\"_blank\" rel=\"noopener\"> Advanced WildFire<\/a>, Behavioral Threat Protection e o m\u00f3dulo Local Analysis, para evitar que malwares conhecidos e desconhecidos causem danos aos endpoints.<\/p>\n<h3>Cortex Cloud<\/h3>\n<p>As organiza\u00e7\u00f5es que usam o<a href=\"https:\/\/www.paloaltonetworks.com\/cortex\/cloud\" target=\"_blank\" rel=\"noopener\"> Cortex Cloud<\/a>, como aquelas no setor de hospedagem em nuvem que foram ativamente visadas durante esta campanha, est\u00e3o melhor protegidas contra o download e execu\u00e7\u00e3o do malware mencionado neste artigo atrav\u00e9s do posicionamento adequado do<a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/r\/Cortex-CLOUD\/Cortex-Cloud-Runtime-Security-Documentation\/Endpoint-protection\" target=\"_blank\" rel=\"noopener\"> agente de endpoint XDR<\/a> do Cortex Cloud e<a href=\"https:\/\/docs-cortex.paloaltonetworks.com\/r\/Cortex-XSIAM\/Cortex-XSIAM-Premium-Documentation\/Use-cases\" target=\"_blank\" rel=\"noopener\"> agentes serverless<\/a> em um ambiente de nuvem.<\/p>\n<p>Projetado para proteger a postura de uma nuvem e as opera\u00e7\u00f5es de runtime contra estas amea\u00e7as, o Cortex Cloud ajuda a detectar e prevenir as opera\u00e7\u00f5es maliciosas ou altera\u00e7\u00f5es de configura\u00e7\u00e3o e explora\u00e7\u00f5es discutidas neste artigo.<\/p>\n<h2>Indicadores de Comprometimento<\/h2>\n<ul>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">1f6d28370f4c2b13f3967b38f67f77eee7f5fba9e7743b6c66a8feb18ae8f33e<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">a3cf1c86731703043b3614e085b9c8c224d4125370f420ad031ad63c14d6c3ec<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">a511be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c9<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">skycloudcenter[.]com<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">self-dns[.]it[.]com<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">safe-dns[.]it[.]com<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">cdncheck[.]it[.]com<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">95[.]179[.]213[.]0<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">45[.]76[.]155[.]202<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">45[.]77[.]31[.]210<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">61[.]4[.]102[.]97<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">59[.]110[.]7[.]32<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">95[.]179[.]213[.]0\/update\/AutoUpdater.exe<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">95[.]179[.]213[.]0\/update\/Upgrade.exe<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">45[.]32[.]144[.]255\/update\/update.exe<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">45[.]76[.]155[.]202\/update\/update.exe<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">59[.]110[.]7[.]32\/dpixel<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">self-dns[.]it[.]com\/help\/Get-Start<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">self-dns[.]it[.]com\/resolve<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">self-dns[.]it[.]com\/dns-query<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">safe-dns[.]it[.]com\/help\/Get-Start<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">safe-dns[.]it[.]com\/resolve<\/span><\/li>\n<li><span style=\"font-family: 'courier new', courier, monospace;\">safe-dns[.]it[.]com\/dns-query<\/span><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>A Unit 42 revela uma nova infraestrutura associada ao ataque ao Notepad++. Isso amplia a compreens\u00e3o das opera\u00e7\u00f5es dos atores de amea\u00e7as e da entrega de malware.<\/p>\n","protected":false},"author":23,"featured_media":172791,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[8773,8791],"tags":[9939,9940,9941,9942],"product_categories":[8892,8967,8978,8982,8893,9040,9049,9056,9059,9160,9086,8888],"coauthors":[1025],"class_list":["post-173115","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-top-cyberthreats-pt-br","category-malware-pt-br","tag-backdoor","tag-cobalt-strike","tag-dll-sideloading","tag-supply-chain","product_categories-advanced-dns-security-pt-br","product_categories-advanced-threat-prevention-pt-br","product_categories-advanced-url-filtering-pt-br","product_categories-advanced-wildfire-pt-br","product_categories-cloud-delivered-security-services-pt-br","product_categories-cortex-pt-br","product_categories-cortex-cloud-pt-br","product_categories-cortex-xdr-pt-br","product_categories-cortex-xsiam-pt-br","product_categories-managed-threat-hunting-pt-br","product_categories-next-generation-firewall-pt-br","product_categories-unit-42-incident-response-pt-br"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.0) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Atores de Estado-Na\u00e7\u00e3o Exploram a Cadeia de Suprimentos do Notepad++<\/title>\n<meta name=\"description\" content=\"A Unit 42 revela uma nova infraestrutura associada ao ataque ao Notepad++. Isso amplia a compreens\u00e3o das opera\u00e7\u00f5es dos atores de amea\u00e7as e da entrega de malware.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/unit42.paloaltonetworks.com\/pt-br\/notepad-infrastructure-compromise\/\" \/>\n<meta property=\"og:locale\" content=\"pt_BR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Atores de Estado-Na\u00e7\u00e3o Exploram a Cadeia de Suprimentos do Notepad++\" \/>\n<meta property=\"og:description\" content=\"A Unit 42 revela uma nova infraestrutura associada ao ataque ao Notepad++. Isso amplia a compreens\u00e3o das opera\u00e7\u00f5es dos atores de amea\u00e7as e da entrega de malware.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/unit42.paloaltonetworks.com\/pt-br\/notepad-infrastructure-compromise\/\" \/>\n<meta property=\"og:site_name\" content=\"Unit 42\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-11T15:44:41+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-17T16:22:18+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/02\/11_Security-Technology_Category_1920x900.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"900\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Unit 42\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Atores de Estado-Na\u00e7\u00e3o Exploram a Cadeia de Suprimentos do Notepad++","description":"A Unit 42 revela uma nova infraestrutura associada ao ataque ao Notepad++. Isso amplia a compreens\u00e3o das opera\u00e7\u00f5es dos atores de amea\u00e7as e da entrega de malware.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/notepad-infrastructure-compromise\/","og_locale":"pt_BR","og_type":"article","og_title":"Atores de Estado-Na\u00e7\u00e3o Exploram a Cadeia de Suprimentos do Notepad++","og_description":"A Unit 42 revela uma nova infraestrutura associada ao ataque ao Notepad++. Isso amplia a compreens\u00e3o das opera\u00e7\u00f5es dos atores de amea\u00e7as e da entrega de malware.","og_url":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/notepad-infrastructure-compromise\/","og_site_name":"Unit 42","article_published_time":"2026-02-11T15:44:41+00:00","article_modified_time":"2026-02-17T16:22:18+00:00","og_image":[{"width":1920,"height":900,"url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/02\/11_Security-Technology_Category_1920x900.jpg","type":"image\/jpeg"}],"author":"Unit 42","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/notepad-infrastructure-compromise\/#article","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/notepad-infrastructure-compromise\/"},"author":{"name":"Unit 42","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/a891f81d18648a1e0bab742238d31a63"},"headline":"Atores de Estado-Na\u00e7\u00e3o Exploram a Cadeia de Suprimentos do Notepad++","datePublished":"2026-02-11T15:44:41+00:00","dateModified":"2026-02-17T16:22:18+00:00","mainEntityOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/notepad-infrastructure-compromise\/"},"wordCount":2049,"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/notepad-infrastructure-compromise\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/02\/11_Security-Technology_Category_1920x900.jpg","keywords":["backdoor","Cobalt Strike","DLL Sideloading","supply chain"],"articleSection":["Amea\u00e7as de alto perfil","Malware"],"inLanguage":"pt-BR"},{"@type":"WebPage","@id":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/notepad-infrastructure-compromise\/","url":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/notepad-infrastructure-compromise\/","name":"Atores de Estado-Na\u00e7\u00e3o Exploram a Cadeia de Suprimentos do Notepad++","isPartOf":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/notepad-infrastructure-compromise\/#primaryimage"},"image":{"@id":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/notepad-infrastructure-compromise\/#primaryimage"},"thumbnailUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/02\/11_Security-Technology_Category_1920x900.jpg","datePublished":"2026-02-11T15:44:41+00:00","dateModified":"2026-02-17T16:22:18+00:00","author":{"@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/a891f81d18648a1e0bab742238d31a63"},"description":"A Unit 42 revela uma nova infraestrutura associada ao ataque ao Notepad++. Isso amplia a compreens\u00e3o das opera\u00e7\u00f5es dos atores de amea\u00e7as e da entrega de malware.","breadcrumb":{"@id":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/notepad-infrastructure-compromise\/#breadcrumb"},"inLanguage":"pt-BR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/unit42.paloaltonetworks.com\/pt-br\/notepad-infrastructure-compromise\/"]}]},{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/notepad-infrastructure-compromise\/#primaryimage","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/02\/11_Security-Technology_Category_1920x900.jpg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2026\/02\/11_Security-Technology_Category_1920x900.jpg","width":1920,"height":900,"caption":"Pictorial representation of Notepad++ supply chain compromise. A digital rendering of Earth from space, focusing on North and South America. The continents are illuminated in blue, with red lines and dots indicating data connections across various locations. Dark background highlights the vibrant network representation."},{"@type":"BreadcrumbList","@id":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/notepad-infrastructure-compromise\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/unit42.paloaltonetworks.com\/"},{"@type":"ListItem","position":2,"name":"Atores de Estado-Na\u00e7\u00e3o Exploram a Cadeia de Suprimentos do Notepad++"}]},{"@type":"WebSite","@id":"https:\/\/unit42.paloaltonetworks.com\/#website","url":"https:\/\/unit42.paloaltonetworks.com\/","name":"Unit 42","description":"Palo Alto Networks","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/unit42.paloaltonetworks.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"pt-BR"},{"@type":"Person","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/a891f81d18648a1e0bab742238d31a63","name":"Unit 42","image":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/unit42.paloaltonetworks.com\/#\/schema\/person\/image\/4ffb3c2d260a0150fb91b3715442f8b3","url":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","contentUrl":"https:\/\/unit42.paloaltonetworks.com\/wp-content\/uploads\/2018\/11\/unit-news-meta.svg","caption":"Unit 42"},"url":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/author\/unit42\/"}]}},"_links":{"self":[{"href":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/posts\/173115","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/users\/23"}],"replies":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/comments?post=173115"}],"version-history":[{"count":1,"href":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/posts\/173115\/revisions"}],"predecessor-version":[{"id":173116,"href":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/posts\/173115\/revisions\/173116"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/media\/172791"}],"wp:attachment":[{"href":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/media?parent=173115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/categories?post=173115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/tags?post=173115"},{"taxonomy":"product_categories","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/product_categories?post=173115"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/unit42.paloaltonetworks.com\/pt-br\/wp-json\/wp\/v2\/coauthors?post=173115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}