EmEditor Homepage Download Button Served Malware for 4 Days
Between December 19-22, 2025, EmEditor's official website suffered a security breach, causing the main download button to serve malicious software. The fake installer, signed by WALSHAM INVESTMENTS LIMITED, contained infostealer malware targeting login credentials, browser history, and VPN settings. It specifically targeted technical staff and government offices, stealing files and installing a fraudulent browser extension for remote control and cryptocurrency address swapping. Users who downloaded during this period are advised to check the digital signature, delete suspicious files, and change stored passwords. Emurasoft is investigating the incident and has apologized for the inconvenience.
Indicators of Compromise
- hash: 43b5de7bba443f9af69b1cc0691d5172
- hash: 6cc9aabfc48fa8338f72520433c89e80e895f706
- hash: e5f9c1e9b586b59712cefa834b67f829ccbed183c6855040e6d42f0c0c3fcb3e
EmEditor Homepage Download Button Served Malware for 4 Days
Description
Between December 19-22, 2025, EmEditor's official website suffered a security breach, causing the main download button to serve malicious software. The fake installer, signed by WALSHAM INVESTMENTS LIMITED, contained infostealer malware targeting login credentials, browser history, and VPN settings. It specifically targeted technical staff and government offices, stealing files and installing a fraudulent browser extension for remote control and cryptocurrency address swapping. Users who downloaded during this period are advised to check the digital signature, delete suspicious files, and change stored passwords. Emurasoft is investigating the incident and has apologized for the inconvenience.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://hackread.com/emeditor-homepage-download-button-malware"]
- Adversary
- null
- Pulse Id
- 6954047d8a63acca030bd5e8
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash43b5de7bba443f9af69b1cc0691d5172 | — | |
hash6cc9aabfc48fa8338f72520433c89e80e895f706 | — | |
hashe5f9c1e9b586b59712cefa834b67f829ccbed183c6855040e6d42f0c0c3fcb3e | — |
Threat ID: 69544fc0db813ff03e2ae6fa
Added to database: 12/30/2025, 10:18:40 PM
Last updated: 12/30/2025, 10:18:47 PM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
RondoDoX Botnet Weaponizes React2Shell
MediumPro-Russian group Noname057 claims cyberattack on La Poste services
MediumSilver Fox Targeting India Using Tax Themed Phishing Lures
MediumEvasive Panda APT poisons DNS requests to deliver MgBot
MediumLinearizing SHA-256 via fractional modular analysis (Kaoru Method)
MediumActions
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.