EmEditor website compromised to distribute Infostealer malware

Emurasoft, Inc. was hit by a supply chain attack on its website from December 19 to December 22, 2025. Attackers broke into the site and changed the redirect settings for the main download button. This caused the site to serve a fake installer for the EmEditor software. Users who clicked "Download Now" received a malicious file instead of the real tool.

The fake installer uses the name emed64_25.4.3.msi and matches the size of the official version. However, the file carries a digital signature from "WALSHAM INVESTMENTS LIMITED" instead of Emurasoft. When a user runs the file, it installs the actual EmEditor program in the background to hide the attack. 

The malware targets technical and government staff who handle sensitive data. It steals login data from tools like Slack, Discord, and Steam, as well as specialized software like PuTTY and WinSCP. The attackers also steal:

• Browser cookies and history
• Saved passwords and VPN settings
• Desktop screenshots
• Files from Desktop, Documents, and Downloads folders
• Windows login credentials

The nature of the attack and the number of affected individuals are not disclosed. 

To extend access, the malware installs a browser extension named "Google Drive Caching." This extension allows the attackers to control the browser and record what the user types. It also includes a tool that watches for cryptocurrency addresses. If a user tries to send a payment, the extension swaps the recipient's address with one owned by the hackers to steal the money.

The malware includes a feature that stops it from running if it detects the computer is in Iran or a region that used to be in the former Soviet Union. 

Emurasoft advises users to check the digital signatures of any installers downloaded during the breach. If the signature is wrong, users should delete the file and change their passwords. The company is still investigating the full scope of the breach.