MalwareTips
Security Review

Is notepadplusplus.site legit or a scam?

Our verdict:Dangerous· 6/100

Malware-distribution clone of Notepad++ that delivered info-stealer malware via fake download ads in 2023.

Top reasons
Six antivirus engines classify it as malicious, including tier-1 detectors CyRadar and Forcepoint ThreatSeeker.Confirmed malware-distribution clone: registered January 2023 and used in Google malvertising to deliver Vidar info-stealer malware (Darktrace report).Typosquat domain mimicking official Notepad++ (notepad-plus-plus.org) to deceive users searching for the legitimate editor.
notepadplusplus.siteScanned 1h ago
Post Facebook
0
Trust score
DANGEROUS
Heuristics 0·MT 8
Category tags
malwareclone-sitetyposquat#Malware#Clone Site#Fake Giveaway98% MT confidence

These checks passed — but they don't clear the site. A clean antivirus result, valid SSL, and a calm server only mean it isn't hosting malware; they say nothing about whether the business is real. This verdict is based on the site's conduct and content, not a malware detection.

View density

Analysis Summary

Threat Intelligence
9/92
Engines flagged this URL
Domain Age
Registration date unknown
MT Intelligence
Dangerous
Critical likelihood · 98% confidence
DANGEROUS

Brand impersonation — not the real site

8 of 92 antivirus engines flag this page as malicious. This page is styled as a brand but is not the brand's real site. Go to the official site directly, and treat any download, login, or payment request here as unsafe.

Website Preview

Screenshot of notepadplusplus.site
LIVE RENDER
notepadplusplus.site

Automated page render — captured in a safe sandbox. What an ordinary visitor would see when loading the site.

MT Intelligence

Advanced threat intelligence
MT Security Analyst
Critical scam likelihoodengineMT · Guardiantrust8/100
MT AgentLive web researchVisual inspectionNetwork correlation
0%
Confidence
Our antivirus network flags this domain as malicious across six independent engines, including CyRadar and Forcepoint ThreatSeeker. The evidence package confirms this is a typosquat clone of the official notepad-plus-plus.org, registered January 4, 2023, and documented by Darktrace as part of a malvertising campaign distributing Vidar info-stealer malware. The domain appears in multiple malware IOC databases (ThreatFox, gmalvertising blocklists) and the Notepad++ community forum explicitly warns users against it. The page currently returns no content, consistent with takedown or blocking. No legitimate business registration, contact information, or positive reviews exist — only malware distribution history.
Full dossier
Analysis complete

Page Content

The page returns blank with no visible text, contact details, or legitimate business information. Historical evidence indicates it posed as a Notepad++ download portal or beginner guide before being taken down or blocked.

Infrastructure

Hosted on IP 104.21.34.13 (clean abuse score, 0 reports). SSL certificate is valid (Let's Encrypt, 35 days to expiry). The domain uses Cloudflare analytics. No redirects or homoglyph tricks detected.

Domain History

Registered January 4, 2023. The domain name is a direct typosquat of the official Notepad++ project (notepad-plus-plus.org). WHOIS data is unavailable, consistent with privacy masking typical of malicious registrations.

Web Reputation

Six antivirus engines flag it as malicious (ADMINUSLabs, alphaMountain.ai, CRDF, CyRadar, Forcepoint ThreatSeeker, Lionic). Darktrace documented it distributing Vidar info-stealer malware via Google ads. Listed in ThreatFox and gmalvertising malware databases. Zero positive reviews or legitimate business affiliation found.

Risk Factors
7
  • Six antivirus engines classify it as malicious, including tier-1 detectors CyRadar and Forcepoint ThreatSeeker.
  • Confirmed malware-distribution clone: registered January 2023 and used in Google malvertising to deliver Vidar info-stealer malware (Darktrace report).
  • Typosquat domain mimicking official Notepad++ (notepad-plus-plus.org) to deceive users searching for the legitimate editor.
  • Listed in multiple malware IOC databases (ThreatFox, gmalvertising blocklists) as a known malicious host.
  • No contact information, business registration, or legitimate content; page returns blank.
  • Notepad++ community forum and developers explicitly warn against this domain due to malware risk.
  • Domain registered with privacy masking (WHOIS unavailable), typical of malicious operators.
Positive Signals
3
  • SSL certificate is valid and current (Let's Encrypt).
  • Hosting IP has clean abuse reputation (0/100 abuse score, no reports).
  • No active redirects or homoglyph tricks detected.
AI Recommendation
Do not visit this site or download anything from it. If you need Notepad++, download only from the official sources: notepad-plus-plus.org or github.com/notepad-plus-plus/notepad-plus-plus. If you have already downloaded files from this domain, scan your system with antivirus software immediately.
Next-gen fraud intelligence
Evidence-backedCross-checked

Web Research Findings

Our live research agent queries scam-report databases, consumer-review sites, news coverage, and general web search for notepadplusplus.site, then cross-checks business-registration records and look-alike domain patterns. Everything below is pulled from what it actually found.

Business registration
No public record found
Could not match the site to a registered company — common for small sites.
Clone check
Clones notepad-plus-plus.org
The page impersonates a well-known brand's site.
Typosquat check
Typosquat of notepad-plus-plus.org
Deliberate misspelling of a real brand's domain.
Web mentions
4 scam reports
Key findings
7 headline facts from open-web research
  • Official Notepad++ website and downloads are at notepad-plus-plus.org and github.com/notepad-plus-plus/notepad-plus-plus
  • notepadplusplus.site was registered January 4, 2023 and used in Google malvertising campaigns to deliver Vidar info-stealer malware
  • Site appeared in search ads for "Notepad++" and led to malicious downloads that installed infostealer (Darktrace report, 2023)
  • Listed in multiple malware IOC databases including ThreatFox and gmalvertising blocklists
  • Notepad++ developers and community repeatedly warn against third-party/fake download sites due to malware and ad risks
  • Page browse returned no content (possibly taken down or blocked); historical evidence shows it posed as a Notepad++ beginner guide/download portal
  • No legitimate business registration, reviews, or positive mentions found; domain has no affiliation with Don Ho or the official project
Scam reports (4)
Direct quotes from public scam databases, forums, and news.
  • Darktraceopen

    "Clicking on the advertisement would direct potential victims to the website notepadplusplus.site, which had been registered on the 4th of January and is hosted on IP address 37.140.192.11. ... the malware in question is the info-stealer kno"

  • ThreatFoxopen

    "This IOC is an old IOC ... for domain notepadplusplus.site"

  • GitHub (gmalvertising)open

    "notepadplusplus.site notepad-plus-plus.space notepad-pp.shop ..."

  • Notepad++ Community Forumopen

    "Only install Notepad++ from official sources. Even if you were lucky enough to not get a virus or malware, the Notepad++ developers do not support copies of Notepad++ downloaded from anyplace that’s not on the official ... notepad-plus-plus"

Impersonation / typosquat
Typosquat of notepad-plus-plus.org

Domain name closely mimics the official Notepad++ project; used in malvertising to distribute fake downloads

Research summary
Narrative write-up from our AI analyst, grounded on the facts above

Darktrace security research confirms this domain was registered January 4, 2023, and used in Google ad campaigns to distribute Vidar info-stealer malware to users searching for Notepad++. The domain is listed in ThreatFox and gmalvertising malware IOC databases. The official Notepad++ community forum and developers warn against downloading from third-party or fake sites, explicitly citing malware and ad risks. No legitimate business registration, positive reviews, or affiliation with the official Notepad++ project (notepad-plus-plus.org) exists.

Scam Network Intelligence

Cross-site correlation

This site shares signals with a broader cluster

Critical cluster

Many scams don't operate alone. We correlate third-party scripts, hosting infrastructure, brand-impersonation signals, and the AI evidence package to detect when a site is part of a broader scam network.

Suspicion score
0/100
ClearLowModerateHighCritical
Evidence (2)
  • Evidence confirms this site is a clone of notepad-plus-plus.org.
  • Domain is a typosquat of notepad-plus-plus.org.
Linked signals (2)
Clone of notepad-plus-plus.orgTyposquat of notepad-plus-plus.org

Antivirus Engines

Detection matrix · live
9 engines flagged this URL

We cross-check every URL against our antivirus network of 92 malware and blacklist engines. Each detection is listed below by engine name — even a single hit is a meaningful signal.

8Malicious1Suspicious52Harmless92Engines
0
of 92
ADMINUSLabs
Malicious· malicious
alphaMountain.ai
Malicious· malicious
CRDF
Malicious· malicious
CyRadar
Malicious· malicious
Forcepoint ThreatSeeker
Malicious· malicious
Lionic
Malicious· malicious
Rising
Malicious· malicious
Webroot
Malicious· malicious
Gridinsoft
Suspicious· suspicious

9 antivirus engines flagged this URL. Even a single detection is a meaningful signal — treat this site with extra caution and avoid entering credentials, payment info, or downloading any files.

Security Scans

Blacklist Check
Not flagged on major threat lists

Checked against the major public blocklists used by browsers and security tools — no hits.

Contact Verification

We fetched the page and looked for real-world contact details. Legitimate businesses almost always publish an email on their own domain, a phone number, and a postal address. Scam shops usually don't.

What We Found
No clear contact details on the page
Emails on site's domainNone
Phone numbersNone
Postal addressNot listed
Linked social profiles0
Signal Summary
Several contact red flags
  • No contact email found anywhere on the page.
  • No phone number listed on the page.
  • No postal address visible on the page.

Domain & Encryption

Encryption Certificate
StatusValid
ProtocolTLSv1.3
IssuerLet's Encrypt · E8
ExpiresJul 24, 2026 (35d)
Self-signedNo
Hosting & Technology
HostingCloudflare, Inc.
Server locationUS
Web servercloudflare

Server Reputation

Abuse Intelligence
Confidence score0%
Reports on file0
ISPCloudflare, Inc.
Usage typeContent Delivery Network

Scam-Type Likelihood

1 scam-type patterns detected
Scam-Type Likelihood

1 of 13 categories showed signals

We check every URL against 13 distinct scam categories so the verdict tells you not just how risky the page is, but what kind of risk it carries. Each meter pulls from page signals, web reports, our AI analyst, vision, and the scam-network cluster — not from raw AV labels.

Top match: Brand Impersonation
Brand Impersonation
Moderate likelihood
50/100
  • Domain is a typosquat of notepad-plus-plus.org.
  • AI analyst tagged this as a brand / clone-site impersonation.
  • Clustered with known brand-impersonation infrastructure.

Brand impersonation detected

This page is styled as a known brand but is not the brand's real site.

  • Do not interact with notepadplusplus.site

    Do not enter credentials, deposit money, download files, or install browser extensions from this site.

  • Go to the brand's real site directly

    Type the brand name into a search engine or open it from your bookmarks — don't use links from emails, SMS, ads, or social posts, which are the delivery vectors for impersonation.

  • Never download or sign in here

    Even if the page "just" offers a download or a giveaway, impersonation pages frequently deliver malware or set up follow-up phishing. Assume anything accepted from this site is hostile.

  • Report the impersonation to the brand

    Most major brands have a dedicated abuse or anti-phishing reporting channel — reporting helps them take the site down and protects other users.

    Open

Reputation Sources

How this domain rates across independent threat-intelligence and blocklist providers.

Google Safe Browsing
Not listedCheck ↗
VirusTotal
ListedCheck ↗
AbuseIPDB
Not listedCheck ↗
Also verify:Spamhaus ↗DNSBL / SURBL ↗PhishTank ↗

Referenced Domains

Outbound domains this page links to or loads resources from. Each links to its own security scan.

static.cloudflareinsights.com

Safety FAQ

Common questions about this site, answered directly from the scan data above — so the answers always reflect the latest verdict on this page.

  • Our automated security review flags notepadplusplus.site as dangerous. Multiple threat indicators were detected — treat the site as a scam until proven otherwise.
  • No — notepadplusplus.site scored 6/100 on our trust scale. We detected active threat indicators, so we recommend avoiding the site entirely.
  • Yes. notepadplusplus.site presents a valid TLSv1.3 certificate issued by Let's Encrypt · E8, expiring in 35 days. Note that SSL only encrypts the connection — it does not guarantee that the site itself is trustworthy.
  • 9 out of 92 antivirus engines in our malware network flagged notepadplusplus.site as malicious or suspicious (8 outright malicious). Even one detection is a meaningful signal.
  • No. notepadplusplus.site is not currently listed on the major browser blocklist feeds that modern browsers use.
  • notepadplusplus.site resolves to an IP operated by Cloudflare, Inc. in US (usage type: Content Delivery Network). Hosting location alone doesn't make a site good or bad, but unusual geography for a brand's claimed country is one of many signals we weigh.
  • This is a permanent record of the scan run on June 18, 2026. The verdict and evidence above reflect that scan and do not change on their own. If circumstances around notepadplusplus.site have changed, MalwareTips staff can run a fresh scan, which re-runs every check from scratch and publishes an updated report.

Final Verdict

0
Trust / 100
Final Verdict·notepadplusplus.site
DANGEROUS

This is a confirmed malware-distribution clone of the legitimate Notepad++ editor. It was registered in January 2023 and used in Google ad campaigns to trick users into downloading Vidar info-stealer malware. Do not visit or download anything from this site.

Do not visit this site or download anything from it. If you need Notepad++, download only from the official sources: notepad-plus-plus.org or github.com/notepad-plus-plus/notepad-plus-plus. If you have already downloaded files from this domain, scan your system with antivirus software immediately.

AV engines
92
MT passes
2
Net signals
2
Scan another URL
Security review completemalwaretips.com/url-scan
Recently scanned

Other Dangerous reports

Browse all reports
Dangeroustrust39
coldsmoke-hub.com
8m ago
Read the review
Dangeroustrust19
cebsworldwide.work
13m ago
Read the review
Dangeroustrust27
recom-lab.com
21m ago
Read the review
Dangeroustrust1
samplel-ks6yxvur5-instagramm.vercel.app
28m ago
Read the review
Dangeroustrust1
labsbyakash.github.io
29m ago
Read the review
Dangeroustrust32
aa.frekooora.online
30m ago
Read the review
Dangeroustrust1
tanishq98714.github.io
30m ago
Read the review
Dangeroustrust1
sakshitulsyan.github.io
31m ago
Read the review
Dangeroustrust1
payo40937-coder.github.io
32m ago
Read the review
Dangeroustrust1
kauf-43293.de
32m ago
Read the review
Dangeroustrust1
pv-pensionsversicherung.net
33m ago
Read the review
Dangeroustrust1
pv-pensionsversicherung.com
34m ago
Read the review
Community review

User reviews & comments(0)

Share your experience — "Lost $200 on a fake checkout" is more useful than "Scam". Your review helps others avoid traps.

Loading…
Loading comments…
This report is generated automatically by combining threat intelligence, domain signals, and an AI security analyst. It is informational, not legal advice. Always use your own judgement before sharing personal information or money online.