[svas]

Curious how the author knew to seed the backdoor'ed Notepad++ before Bill clicked the link?

I suppose you could just serve up a fake backdoor program for every *.exe\msi download, and remove the honeypot on the second download? The first download would execute and maybe do nothing (or error) - prompting a second download which led to the real thing.

[lambda]

In the article, he mentions using Evilgrade to do the backdooring. If you click though the link, you can find the README, which lists a bunch of applications that Evilgrade supports seeding backdoored versions of http://www.infobyte.com.ar/down/isr-evilgrade-Readme.txt

He likely just enabled them all, or at least enabled several which are likely candidates for his target to download.

[stedaniels]

Notepad++ checks a known URL for updates. He'll have spoofed the URL to tell Notepad++ that there was an update, his.

[moyix]

It probably just backdoors any executable it sees on the fly.