EmEditor Homepage Download Button Served Malware for 4 Days
Essential information
- Published
- 30/12/2025 16:57
- Modified
- 30/12/2025 17:22
- Tags
- 2025-12-30 browser extension cryptocurrency data theft digital signature emeditor infostealer website compromise
- Related entities
- 1 observables, 8 techniques (mitre), 2 others
Description
Between December 19-22, 2025, EmEditor's official website suffered a security breach, causing the main download button to serve malicious software. The fake installer, signed by WALSHAM INVESTMENTS LIMITED, contained infostealer malware targeting login credentials, browser history, and VPN settings. It specifically targeted technical staff and government offices, stealing files and installing a fraudulent browser extension for remote control and cryptocurrency address swapping. Users who downloaded during this period are advised to check the digital signature, delete suspicious files, and change stored passwords. Emurasoft is investigating the incident and has apologized for the inconvenience.