TrendAI™ Research provides a technical analysis of a compromised EmEditor installer used to deliver multistage malware that performs a range of malicious actions.

Trend Micro Blog offers insights, analysis, and updates on cybersecurity threats, trends, and best practices. Covering topics such as malware analysis, threat intelligence, and cybersecurity risk management, Trend Micro Blog provides resources for IT security professionals, helping them stay ahead of emerging threats and protect their organizations from cyber attacks.

Trend Micro

A watering hole attack compromised EmEditor's download page in late December 2025, distributing malware-laden installers to users. The malicious MSI file deployed multistage PowerShell payloads capable of credential theft, data exfiltration, disabling security telemetry, and establishing command-and-control communication. Geofencing behavior suggests Russian or CIS-origin threat actors. The attack targeted developer communities, particularly Japanese users, exploiting the holiday period for reduced detection. Organizations should validate installer integrity, monitor PowerShell execution, preserve endpoint telemetry, and enforce least privilege access to mitigate supply chain risks.

Watering Hole Attack Targets EmEditor Users with Information-Stealing Malware