Proprietary 2025-12-19 · 3 days ·Credential Theft, Data Theft, Remote Access

EmEditor download button served malware

EmEditor's official Download Now path was altered in December 2025. The redirected MSI installed EmEditor while launching PowerShell stages for credential theft and profiling.

Story

EmEditor was compromised at a narrow but trusted point: the homepage Download Now button. Emurasoft said the affected window ran from December 19, 2025 18:39 to December 22, 2025 12:50 Pacific time, and that the redirect behind the button could serve a file not produced by Emurasoft.

The confirmed artifact was emed64_25.4.3.msi. The legitimate installer was signed by Emurasoft and had a published SHA-256 hash. The suspicious installer used the same filename, installed the real editor, but was signed by WALSHAM INVESTMENTS LIMITED and carried a modified MSI CustomAction.

The malicious action spawned PowerShell. Trend Micro and ReversingLabs described staged scripts that contacted lookalike EmEditor domains, disabled or interfered with PowerShell telemetry, collected credentials and screenshots, fingerprinted the host, checked locale and security tooling, and reported to cachingdrive.com.

Later related samples and domains suggest the operators continued building around the same theme after the vendor advisory. This record keeps the official-distribution claim to the vendor-confirmed 25.4.3 Download Now window and records later infrastructure as campaign indicators, not as confirmed Emurasoft-distributed artifacts.

Affected Artifacts

EmEditor

emeditor website download · emeditor.com · Binary Archive

Observed: 2025-12-19 to 2025-12-22
Compromised Versions: 25.4.3
Fixed: Not listed
Hashes: sha256:3d1763b037e66bbde222125a21b23fc24abd76ebab40589748ac69e2f37c27fc

sha256:4bea333d3d2f2a32018cd6afe742c3b25bfcc6bfe8963179dad3940305b13c98
Evidence: distribution: support.emeditor.com/en/downloads/latest/installer/64, mirror: emeditor.com/general/important-security-incident-notice-regarding-the-emeditor-installer-download-link

Emurasoft confirmed the affected file name and signer mismatch but did not publish a malicious SHA-256. ReversingLabs listed two malicious 25.4.3 MSI samples tied to the EmEditor campaign and the emeditorjp.com C2 domain.
The legitimate Emurasoft-signed 25.4.3 MSI SHA-256 was e5f9c1e9b586b59712cefa834b67f829ccbed183c6855040e6d42f0c0c3fcb3e.

Incident Context

Motive: Credential Theft
Cause: Website Compromise
Transitive: No

Indicators

fileemed64_25.4.3.msi
fileemed64_25.4.4.msi
signerWALSHAM INVESTMENTS LIMITED
signerEmurasoft, Inc.
domainemeditorjp.com
domainemeditorgb.com
domainemeditorde.com
domaincachingdrive.com
domainemeditorjapan.com
domainemedorg.com
domainemeditorltd.com
domainemedjp.com
domainnc7d8p7u8j3n4hgm.com
urlhttps://emeditorgb.com/run/mg8heP0r
urlhttps://emeditorde.com/gate/start/2daef8cd
urlhttps://cachingdrive.com/gate/init/2daef8cd
campaign_tag2daef8cd
file_sha256related malicious emed64_25.4.3.msi ad84f28e9bb0fcaf30846b2563a353b649ab6dc85b36d4bf58ee61a2a95b740a
file_sha256related malicious emed64_25.4.4.msi da59acc764bbd6b576bef6b1b9038f592ad4df0eed894b0fbd3931f733622a1a
file_sha256legitimate emed64_25.4.3.msi e5f9c1e9b586b59712cefa834b67f829ccbed183c6855040e6d42f0c0c3fcb3e

External References

Security Incident Notice Regarding the EmEditor Installer Download Linkemeditor.com
Watering Hole Attack Targets EmEditor Users with Information-Stealing Malwaretrendmicro.com
Researcher's Notebook - Inside the EmEditor supply chain compromisereversinglabs.com
Investigation on the EmEditor Supply Chain Cyberattackstormshield.com
EmEditor Editor Website Hacked to Deliver Infostealer Malware in Supply Chain Attackcybersecuritynews.com

Source record: proprietary/emeditor/meta.yaml