The attack exploited GUP.exe (the auto-updater) to deliver Cobalt Strike/Chrysalis backdoors. While highly targeted (~12 machines globally, mostly gov/finance in APAC), many admins want to verify their systems are clean.
NoteBad++ runs 22 checks: SHA-1/SHA-256 hash verification against known IOCs, registry persistence, malicious services, scheduled tasks, DNS cache, network connections to C2 IPs, event logs, and more.
Requires Admin privileges.
Returns exit code = number of findings (useful for automation).
GitHub: https://github.com/maremmano/notebadpp
If you're running Notepad++ < v8.8.9, I'd recommend updating regardless.