A recent supply chain attack targeting EmEditor, a popular Windows text and code editor, has resulted in the distribution of infostealer malware to users who downloaded the software from the official website.
Developed by Redmond-based Emurasoft, Inc., EmEditor is widely used for coding, text editing, and handling large files. The company issued a security notice on December 22, warning that downloads from the “Download Now” button between December 19, 18:39 PT, and December 22, 12:50 PT may have delivered a malicious installer instead of the legitimate software.
How the Attack Worked
Emurasoft confirmed that the URL behind the download button was altered to point to a malicious .MSI file hosted on a different location within the EmEditor website. The fake installer appeared identical to the official one in name and size but was signed with a certificate from an unrelated company.
When executed, the malicious installer ran a PowerShell script designed to download and execute additional malware from a fraudulent EmEditor domain.
Malware Capabilities and Impact
Chinese cybersecurity firm Qianxin analyzed the attack and warned that the malware targeted Windows users globally, with a significant user base in China. The malicious installer is capable of:
- Collecting system information and files from Desktop, Documents, and Downloads folders
- Extracting VPN configurations, browser data, and credentials from Windows and applications including Zoho Mail, Discord, Slack, Teams, Zoom, WinSCP, PuTTY, Telegram, and Steam
- Deploying a browser extension named “Google Drive Caching” for persistence
- Logging keystrokes, hijacking the clipboard to replace cryptocurrency addresses, and stealing Facebook ad accounts
The malware is programmed to terminate on systems with language settings associated with former Soviet countries or Iran, suggesting a selective targeting mechanism.
Attribution and Threat Assessment
While Qianxin did not assign the attack to a specific actor, the pattern suggests profit-driven cybercriminals rather than a state-sponsored group. However, experts note that the line between financially motivated criminals and APT (Advanced Persistent Threat) actors is increasingly blurred in supply chain attacks.
Indicators of compromise (IoCs) are available from both Qianxin and Emurasoft for organizations and users seeking to verify potential exposure.
Broader Context
This incident adds to a growing trend of supply chain attacks targeting widely used software, following recent breaches in npm packages, VS Code extensions, and other development tools. Experts advise enterprises and government organizations to remain vigilant and verify all software sources before installation.
