The popular text editor EmEditor fell victim to a sophisticated supply chain attack between December 19-22, 2025, in which attackers compromised the official website to distribute malware-laced installation packages.
Emurasoft, Inc., the software’s developer, confirmed on December 23 that malicious MSI installers were served to users through tampered download links, bearing fraudulent digital signatures from “WALSHAM INVESTMENTS LIMITED” instead of the legitimate publisher credentials.
Qianxin Threat Intelligence Center’s RedDrip Team identified the incident through its intelligence monitoring systems, capturing the complete malicious payload chain.
Given EmEditor’s substantial user base among Chinese developers, operations personnel, and technical professionals handling sensitive data, security researchers assess that the attack poses significant risks to government and enterprise institutions across the region.
Sophisticated Multi-Stage Attack Chain
The compromised MSI installer (emed64_25.4.3.msi) contained embedded malicious scripts designed to execute PowerShell commands that turn off system logging and deploy C# classes for data exfiltration.
The malware systematically collected system information including OS version and usernames, encrypting stolen data with RSA encryption before transmitting it to the command-and-control server at emeditorgb.com.
The infostealer targeted multiple high-value directories including Desktop, Documents, and Downloads, harvesting file lists and packaging them into encrypted archives named “sandbox.txt” and “system.txt.”
The malware demonstrated advanced credential theft capabilities, extracting VPN configurations, Windows login credentials, and browser data encompassing cookies, saved passwords, and user preferences from popular applications.
Among the targeted software were enterprise collaboration platforms including Zoho Mail, Evernote, Notion, Discord, Slack, Mattermost, Microsoft Teams, and Zoom, alongside secure file transfer tools like WinSCP and PuTTY.
The malware also captured screenshots and compressed all stolen data into a file named “array.bin” for exfiltration. Notably, the malware included geographic restrictions, terminating execution if it detected system languages associated with former Soviet countries or Iran.
The attack’s most concerning component involved installing a persistent browser extension masquerading as “Google Drive Caching.”
This fully-featured infostealer communicated with cachingdrive.com and incorporated Domain Generation Algorithm (DGA) logic to maintain operations even if primary infrastructure faced takedown efforts. The DGA generates weekly fallback domains using seed values combined with year and week number calculations.
The extension harvested comprehensive system metadata including CPU, GPU, memory specifications, screen resolution, and time zone data.
It captured complete browser history, cookies, installed extensions, and bookmarks while implementing clipboard hijacking functionality supporting over 30 cryptocurrency wallet address formats.
Additional capabilities included keylogging categorized by specific web pages, Facebook advertising account theft, and remote control functions enabling operators to execute screenshots, read local files, establish proxy connections, and run arbitrary JavaScript code.
Detection and Mitigation
Qianxin’s Tianqing “Liuhe” engine detects and blocks the malicious MSI installers. The company recommends government and enterprise customers deploy this security engine to defend against the threat.
Emurasoft confirmed that users who updated through EmEditor’s built-in Update Checker, downloaded from download.emeditor.info directly, or used portable/store versions remain unaffected.
The legitimate installer bears Emurasoft, Inc.’s digital signature with SHA-256 hash e5f9c1e9b586b59712cefa834b67f829ccbed183c6855040e6d42f0c0c3fcb3e, while the malicious version displays an 80,380,416-byte file size signed by WALSHAM INVESTMENTS LIMITED.
Organizations should immediately isolate potentially affected systems, conduct comprehensive malware scans, and implement password resets with multi-factor authentication enablement for exposed credentials.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.