BLUF

 Attackers compromised the official download page of EmEditor, a popular text editor for developers, to distribute a tampered installer that delivers a multi-stage PowerShell-based stealer.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by a watering hole supply-chain compromise delivering credential-stealing malware through a trusted developer tool:

·       Low-end total cost: $750,000 – $1.2M

·       (Limited endpoint exposure, rapid detection, minimal credential reuse)

·       Typical expected range: $1.5M – $3.5M

·       (Multiple developers impacted, credential resets, short-term operational disruption)

·       Upper-bound realistic scenarios: $4M – $7M

·       (Credential abuse leads to secondary access, customer assurance actions required)

Key Cost Drivers

·       Number of developer endpoints requiring rebuild and credential resets

·       Evidence of credential reuse across internal or customer-facing systems

·       Duration between installer exposure and detection

·       Contractual security obligations to enterprise customers

·       Cyber insurance deductible levels and coverage limitations

Targeted Sectors

·       Software Development

·       IT

·       Technology

Countries Targeted

·       Global

Date of First Reported Activity

·       Late December 2025

Date of Last Reported Activity Update

·       January 26, 2026

APT Names

·       Unidentified (suspected Russian or CIS-based due to geofencing).

Associated Criminal Organizations

·       No criminal organization has been associated with this at this time.

IOCs

Domain

·       EmEditorjp[.]com (malicious C2 mimicking legitimate site).

Installer

Tampered MSI installer for EmEditor.

Related Persistence Mechanisms

Scheduled Task

·       A task named Google Drive Caching may be present in the system.

VBScript File

·       A file named background.vbs is typically created in %LOCALAPPDATA%\Google Drive Caching\.

Log File

·       The presence of C:\ProgramData\tmp_mojo.log is a known indicator of infection.

Command and Control (C2)

·       The malware communicates with malicious domains, most notably cachingdrive[.]com

Tools Used

·       PowerShell

·       MSI Installers

CVEs & CVSS

·       No specific CVE assigned to the watering hole site breach yet

·       it involves a compromise of the vendor's distribution infrastructure.

Nessus ID

·       Not applicable at this time.

Mitigation

·       Verify checksums of downloaded installers. Emurasoft has issued a security advisory on its official site.

Malware Names

·       Evelyn Stealer

·       "Google Drive Caching" Extension

o   As part of the infection chain, the malware may deploy a malicious browser extension by this name. This extension serves as a fully featured infostealer itself, capable of:

§  Logging keystrokes and stealing cookies.

§  Collecting browser history and bookmarks.

§  Replacing cryptocurrency wallet addresses with those controlled by the attacker.

§  Stealing Facebook ad accounts.

·       Obfuscated PowerShell Scripts

o   The initial compromise involves a modified Microsoft Installer (.MSI) that executes heavily obfuscated PowerShell scripts to download and deploy the final payloads.

Malware Sample

sha256

E3544F1A9707EC1CE083AFE0AE64F2EDE38A7D53FC6F98AAB917CA049BC63E69

Known Decoding Key (AES-256-CBC)

Key (32 bytes)

2e649f6145f55988b920ff5a445e63aae29c80495b830e0d8bb4b3fff4b1f6f4

IV (16 bytes)

5c507b22e9814428c5f2b1ef213c5c4a

Verdict

·       Malicious

o   Categorized as a high-risk data exfiltration Trojan.

Primary Objectives

·       Harvest browser credentials, cookies, and autofill data.

·       Steal cryptocurrency wallet information and session tokens.

·       Capture system metadata, clipboard contents, and Wi-Fi credentials.

·       Take screenshots of the infected environment.

Threat Actor Context

·       Observed targeting software developers by abusing the Visual Studio Code (VSC) Extension Marketplace.

·       Uses lures like "Bitcoin Black" themes and "Codo AI" coding assistants to deliver malicious extensions.

·       Functions as a mature multi-stage pipeline designed to pivot from developer workstations into enterprise environments.

Behavior Analysis

Initial Infection

·       Chained through malicious VSC extensions that execute PowerShell and batch scripts upon activation.

Anti-Analysis

·       Implements multiple checks to detect sandbox or research environments and terminates if identified.

Execution

·       Employs Process Hollowing and DLL Hijacking (often using the legitimate Lightshot utility) to run malicious code under trusted binary names like grpconv.exe.

Exfiltration

Communicates with Command-and-Control (C2) servers over FTP for data upload.

TTPs

Initial Access

·       T1195.002 Supply Chain Compromise

o   Compromise Software Supply Chain: Attackers modified the legitimate EmEditor MSI installer on the official website to include a malicious CustomAction script.

·       T1189 Drive-by Compromise

o   The compromise of the official download page served as a "watering hole" to infect users visiting the site.

Execution

·       T1059.001 Command and Scripting Interpreter PowerShell

o   The modified installer executes a PowerShell command to download and run subsequent payloads.

·       T1204.002 User Execution Malicious File

o   Execution occurs when a user runs the trojanized version of the installer.

Persistence & Evasion

·       T1027 Obfuscated Files or Information

o   Payloads use complex string manipulation (Insert, Remove, Replace) to evade signature-based detection.

·       T1562.001 Impair Defenses: Disable or Modify Tools

o   The malware specifically disables PowerShell Event Tracing for Windows (ETW) to suppress security logging.

·       T1497.001 Virtualization/Sandbox Evasion System Checks

o   The malware performs anti-virtualization checks and process detection to identify security software.

·       T1614.001 System Location Discovery

o   System Language Discovery (Geofencing): The attack employs geofencing to restrict execution based on geographic regions (e.g., excluding certain CIS countries).

Credential Access & Collection

·       T1555.004 Credentials from Password Stores

o   Windows Credential Manager: The primary payload extracts stored credentials from the Windows Credential Manager.

·       T1113 Screen Capture

o   The malware is capable of taking screenshots of the victim's system for reconnaissance.

·       T1082 System Information Discovery

o   The malware harvests detailed system information and fingerprints the infected machine.

Command and Control

·       T1071.001 Application Layer Protocol Web Protocols

o   Communication with the command-and-control (C2) server is conducted via HTTPS.

·       T1105 Remote File Copy

o   PowerShell's Invoke-WebRequest (IWR) is used to retrieve additional stages of the malware.

Suggested rules / potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

Create alerts for the known malicious domains used to stage payloads.

alert dns $HOME_NET any -> any any (msg:"ET HUNTING EmEditor Watering Hole Domain (emeditorjp[.]com)"; dns.query; content:"emeditorjp.com"; nocase; sid:2026001; rev:1;)

alert dns $HOME_NET any -> any any (msg:"ET HUNTING EmEditor Watering Hole Domain (emeditorgb[.]com)"; dns.query; content:"emeditorgb.com"; nocase; sid:2026002; rev:1;)

alert dns $HOME_NET any -> any any (msg:"ET HUNTING EmEditor Watering Hole Domain (emeditorde[.]com)"; dns.query; content:"emeditorde.com"; nocase; sid:2026003; rev:1;)

Alert on specific URI patterns used for credential theft and system info gathering.

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Evelyn Stealer Payload Request (/run/mg8heP0r)"; http.uri; content:"/run/mg8heP0r"; sid:2026004; rev:1;)

SentinelOne

Search for msiexec.exe spawning PowerShell with unusual arguments or network connections.

ProcessName = "msiexec.exe" AND ChildProcessName = "powershell.exe"

ProcessName = "msiexec.exe" AND DNSRequest CONTAINS "EmEditor" (to find spoofed domains)

Identify obfuscated PowerShell or use of Invoke-WebRequest (IWR) to suspicious domains.

ProcessName = "powershell.exe" AND (CommandLine CONTAINS ".Insert" OR CommandLine CONTAINS ".Substring")

DNSRequest IN ("EmEditorjp.com", "EmEditorgb.com", "EmEditorde.com", "cachingdrive.com")

Monitor for registry or process modifications intended to disable ETW

ProcessName = "powershell.exe" AND (CommandLine CONTAINS "ETW" AND CommandLine CONTAINS "Disable")

Detect unauthorized access to credential storage or sensitive registry keys.

ProcessName = "powershell.exe" AND RegistryKeyPath CONTAINS "Credentials"

Splunk

Look for common string manipulation techniques (e.g., Insert, Remove, Replace) in PowerShell logs (Event ID 4104).

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-PowerShell/Operational"

| eval script_len=len(ScriptBlockText)

| where script_len > 500 AND (match(ScriptBlockText, "Replace|Insert|Remove|Substring|Trim"))

| stats count by ComputerName, ScriptBlockText

Domain Typosquatting Check

Compare web proxy or DNS logs against the legitimate emeditor.com domain.

index=network sourcetype=dns query="emeditor*" NOT query="emeditor.com"

| stats count by query, src_ip

Delivery Method

·       Tampered installer hosted on the official download page

Email sample

References

CyberPress

·       hxxps://cyberpress.org/emeditor-watering-hole-stealer-attack/

Trend Micro

·       hxxps://www.trendmicro.com/en_us/research/26/a/watering-hole-attack-targets-emeditor-users.html

·       hxxps://www.trendmicro.com/en_us/research/26/a/analysis-of-the-evelyn-stealer-campaign.html

VirusTotal

·       hxxps://www.virustotal.com/gui/file/e3544f1a9707ec1ce083afe0ae64f2ede38a7d53fc6f98aab917ca049bc63e69/details