EmEditor Website Compromised to Deliver Infostealer

The official website of EmEditor, a text and code editor popular among developers and system administrators, was compromised between December 19 and 22, 2025. During this four-day window, visitors who clicked the "Download Now" button received a trojanized installer containing a fully-featured information-stealing trojan.

What Happened

Attackers compromised the redirect mechanism on EmEditor's website—not the software itself. When users clicked the download button, they were silently redirected to a malicious installer hosted within EmEditor's own WordPress content directory. The attack went undetected for nearly four days before the company identified and remediated the compromise.

The malicious installer was signed by "WALSHAM INVESTMENTS LIMITED," a certificate that has no connection to Emurasoft, the Japanese company behind EmEditor. This certificate has since been revoked, but during the attack window it allowed the malware to pass initial Windows SmartScreen checks without triggering warnings.

Emurasoft disclosed the incident on December 22 and confirmed that users who:

• Downloaded via the built-in Update Checker were not affected
• Downloaded directly from download.emeditor.info were not affected
• Used portable or Microsoft Store versions were not affected

Only users who clicked the main website's download button during the attack window are at risk.

The Malware Payload

The trojanized installer deploys a multi-stage credential theft operation. Initial analysis from security researchers at Qianxin revealed:

Browser credential harvesting - The malware targets Chrome, Edge, Brave, and Opera, extracting saved passwords, cookies, browsing history, and autofill data.

Application credential theft - Beyond browsers, the payload harvests credentials from Discord, Slack, Zoom, Microsoft Teams, WinSCP, and PuTTY. Developers and IT administrators—EmEditor's core user base—likely have credentials for these applications stored locally.

Persistent browser extension - The most concerning component installs a browser extension masquerading as "Google Drive Caching." This extension persists even if the initial malware payload is detected and removed.

The extension communicates with cachingdrive.com and incorporates domain generation algorithm (DGA) logic to maintain operations even if primary command-and-control infrastructure is disrupted. It captures:

• Complete browser history and bookmarks
• Session cookies (enabling session hijacking)
• Clipboard contents
• Installed extension data

The clipboard monitoring specifically targets cryptocurrency wallet addresses. Researchers identified support for over 30 different cryptocurrency address formats, automatically replacing copied addresses with attacker-controlled wallets.

Geographic Exclusions

The malware includes a "do not infect" list based on system language settings. It self-terminates if it detects locales for Russia, Ukraine, Kazakhstan, Belarus, Azerbaijan, Armenia, Georgia, or Iran. This targeting pattern is consistent with threat actors operating from the former Soviet sphere, following an unwritten rule among Eastern European cybercriminals to avoid targeting domestic systems.

Connection to Broader Infostealer Ecosystem

This attack fits a disturbing pattern we've tracked throughout 2025. The LotusBail NPM supply chain attack and GlassWorm macOS campaign showed similar tactics—compromising trusted distribution channels to deliver credential stealers.

Recent research from KELA shows infostealers compromised 3.9 billion credentials from infected devices in 2025, with Lumma, StealC, and RedLine responsible for over 75% of infections. The EmEditor attack demonstrates that supply chain compromise remains an effective delivery mechanism, bypassing the phishing detection that blocks most infostealer distribution attempts.

For guidance on protecting against credential theft, see our phishing examples guide which covers social engineering tactics commonly used alongside these attacks.

What To Do If You Downloaded During the Attack Window

If you downloaded EmEditor between December 19 and December 22, 2025:

1. Isolate the system - Disconnect from the network immediately
2. Check for the malicious extension - Look for "Google Drive Caching" in browser extensions
3. Run comprehensive malware scans - Standard antivirus may not detect all components
4. Assume credential compromise - Reset passwords for all accounts accessed from the system
5. Enable MFA everywhere - Particularly on email, banking, and cryptocurrency accounts
6. Monitor financial accounts - Watch for unauthorized transactions, especially crypto transfers

Organizations should check download logs and endpoint telemetry to identify any systems that may have retrieved the malicious installer during the attack window.

Supply Chain Security Remains the Weak Link

EmEditor's compromise illustrates a fundamental challenge: users trust official download pages. When that trust is exploited, traditional security controls fail. The installer was signed (though by an unfamiliar entity), hosted on legitimate infrastructure, and distributed through expected channels.

Developer tools represent high-value targets for supply chain attacks. Their users typically have elevated privileges, access to source code repositories, and credentials for production systems. A compromised text editor on a developer workstation opens doors that phishing campaigns struggle to reach.

Emurasoft has implemented additional security controls following the incident, though specific details haven't been disclosed. For users, the incident is a reminder to verify installer signatures against known good values—and to question unfamiliar certificate authorities even when the download source appears legitimate.