UltraEdit updater carried WilySupply

Microsoft disclosed Operation WilySupply on 2017-05-04. The original report did not name the vendor, but it described a compromised updater for a third-party editing tool used as a quiet delivery channel into finance, payments, IT, and similar organizations.

Later supply-chain summaries, including F-Secure's 2021 attack landscape report, identified the tool as UltraEdit. The distinction matters: the public incident began as an unnamed text editor compromise, and the UltraEdit attribution appears in later reporting rather than the initial Microsoft disclosure.

The payload was a small binary named ue.exe, delivered through the legitimate updater path. It launched PowerShell, decoded a Base64/Gzip blob, fetched payload material from attacker infrastructure disguised as logo.png, and started a Meterpreter reverse shell.

The attack was selective. Microsoft said roughly 25 high-profile organizations received the malicious payload, and responders worked with the vendor to contain it early. The code was simple; the trust boundary it crossed was not.

Motive

Espionage

Cause

Update Infrastructure Compromise

Transitive

No

User Impact

25

• Windows Defender ATP thwarts Operation WilySupply software supply chain cyberattackmicrosoft.com
• Microsoft says lock down your software supply chain before the malware scum get intheregister.com
• Microsoft Stops Targeted Malware Attack Distributed via Software Supply Chainbleepingcomputer.com
• Attack Landscape Update 2021blog-assets.f-secure.com