An advanced watering hole attack that targets users of EmEditor, a widely used Windows text editor that is preferred by developers, particularly in Japan This article explores compromised emeditorjp com. . Attackers gained access to EmEditor's download page in late December 2025 in order to disseminate a modified MSI installer.

The multistage PowerShell-based stealer malware used in this supply chain attack exfiltrates data, steals credentials, and permits lateral movement. By postponing malicious actions after installation, the malware prolongs its dwell time and avoids detection. Users were cautioned by a security advisory posted on the website of EmEditor, which was created by the U.S.-based Emurasoft. The attack most likely took advantage of the year-end holidays to lower awareness.

Geofencing in the malware eliminates CIS nations like Russia, Armenia, Belarus, Georgia, Kazakhstan, and Kyrgyzstan, suggesting Russian or CIS origins to reduce risks, even though the threat actor is still unknown.

IOCs and Technical Breakdown In order to appear legitimate, the compromised MSI installer launches a PowerShell command that retrieves first-stage code from hxxps://EmEditorjp[.]com. EmEditor's webpage was compromised, and they issued a warning about it (source: Trendmicro). This step invokes two payloads using Invoke-WebRequest: hxxps://EmEditorgb[.

]com/run/mg8he and deobfuscates using string manipulations (Insert, Remove, Replace, Substring, Trim).P0r: Disables Event Tracing for Windows (ETW), detects security processes, prevents virtualization, handles credential theft from Credential Manager, and takes screenshots. System fingerprinting, geofencing checks, registry scans for security apps, and C&C communication are all carried out by hxxps://EmEditorde[.]com/gate/start/2daef8cd. The string "2daef8cd" frequently appears; this is probably a campaign ID. Data exfiltrates to hxxps://cachingdrive[.]com/gate/init/2daef8cd.

Endpoint detection can be avoided by using obfuscation and anti-analysis techniques like ETW disablement.

Important IOCs: Type of Indicator Value Domains that have been compromised EmEditorjp[. ]com EmEditorgb[. ]com EmEditorde[.

]com cachingdrive[. ]com Payload URLs hxxps://EmEditorgb[. ]com/run/mg8heP0r hxxps://EmEditorde[. ]com/gate/start/2daef8cd hxxps://cachingdrive[.

]com/gate/init/2daef8cd Campaign ID 2daef8cd Countries Excluded (Geofencing) Russia, Armenia, Belarus, Georgia, Kazakhstan, and Kyrgyzstan Vision from TrendAI One provides customers with hunting queries while blocking these IOCs. Third-party Windows software that is downloaded by the general public poses a risk to organizations. CISOs need to keep a close eye on developer tools and trusted installers. The CustomAction script in the compromised installer file has been altered to run a malicious command (source: Trendmicro).

Before executing, use digital signatures and hashes to verify the integrity of the MSI. Control PowerShell by keeping an eye on network calls, blocking obfuscated scripts, and logging executions. Regarding suppliers such as EmEditor: Access controls and change monitoring are features of secure download servers. For user verification, publish hashes.

Maintain incident response plans covering takedowns, notifications, and vendor coordination.

This attack undermines confidence in official installers and calls for preventative measures against supply chain risks.