EmEditor Homepage Download Button Served Malware for 4 Days

Dec. 30, 2025, 5:22 p.m.

Description

Between December 19-22, 2025, EmEditor's official website suffered a security breach, causing the main download button to serve malicious software. The fake installer, signed by WALSHAM INVESTMENTS LIMITED, contained infostealer malware targeting login credentials, browser history, and VPN settings. It specifically targeted technical staff and government offices, stealing files and installing a fraudulent browser extension for remote control and cryptocurrency address swapping. Users who downloaded during this period are advised to check the digital signature, delete suspicious files, and change stored passwords. Emurasoft is investigating the incident and has apologized for the inconvenience.

External References

https://hackread.com/emeditor-homepage-download-button-malware
https://otx.alienvault.com/pulse/6954047d8a63acca030bd5e8
Tags
infostealer
cryptocurrency
data theft
browser extension
digital signature
2025-12-30
emeditor
website compromise

Date

  • Created: Dec. 30, 2025, 4:57 p.m.
  • Published: Dec. 30, 2025, 4:57 p.m.
  • Modified: Dec. 30, 2025, 5:22 p.m.

Indicators

  • e5f9c1e9b586b59712cefa834b67f829ccbed183c6855040e6d42f0c0c3fcb3e
Download all indicators here!

Attack Patterns

Additional Informations

  • Technology
  • Government