Investigation on the EmEditor Supply Chain Cyberattack
A recent supply chain attack targeting EmEditor users has been uncovered, involving watering hole tactics. The investigation reveals multiple domains masquerading as EmEditor-related sites, all registered through NameSilo LLC in December 2025. The domains resolve to various IP addresses, with some changes observed in February 2026. Additional domains with similar patterns were discovered, along with peculiar HTTP header behavior. A potential early stage of the campaign was identified, sharing similar characteristics with the initial report. The attackers continued their activities even after exposure, utilizing PowerShell scripts and various domains for command and control purposes. The analysis provides a comprehensive list of indicators, including domain names, IP addresses, and file hashes associated with the attack.
AI Analysis
Technical Summary
This threat involves a sophisticated supply chain attack targeting users of EmEditor, a text editor software. The attackers employed watering hole tactics by registering multiple domains that closely mimic legitimate EmEditor-related sites, all registered through the registrar NameSilo LLC in December 2025. These domains resolve to various IP addresses, some of which changed in February 2026, indicating active operational adjustments by the threat actors. The campaign includes an early stage with similar characteristics, suggesting a prolonged and evolving attack. Attackers utilize PowerShell scripts for payload execution and command and control (C2) communications, leveraging multiple domains to maintain persistence and evade detection. The HTTP headers observed during the investigation showed peculiar behavior, possibly to fingerprint or evade security controls. The campaign’s indicators include specific malicious domain names such as emeditorde.com, emeditorgb.com, and emeditorjp.com, IP addresses like 5.101.82.118 and 64.188.83.146, and file hashes associated with malicious payloads. The attack techniques align with MITRE ATT&CK tactics T1583 (Acquire Infrastructure), T1584 (Compromise Infrastructure), T1102 (Web Service), T1059.001 (PowerShell), and T1566 (Phishing). Despite no known exploits in the wild or CVE identifiers, the supply chain nature and continued attacker activity post-exposure highlight the threat's sophistication and potential impact. The campaign’s persistence and use of masquerading domains increase the risk of successful compromise of EmEditor users, potentially leading to data exfiltration or further network intrusion.
Potential Impact
For European organizations, this supply chain attack poses a significant risk due to the widespread use of EmEditor in various sectors including government, finance, and technology. Compromise through this vector could lead to unauthorized access, data theft, or lateral movement within networks. The watering hole and domain masquerading tactics increase the likelihood of successful phishing or drive-by download attacks, especially if users access compromised or fake EmEditor-related websites. PowerShell-based payloads can bypass traditional antivirus solutions, enabling stealthy execution of malicious code. The persistence of the attackers even after exposure suggests that affected organizations may face prolonged intrusion and data compromise risks. Given the supply chain nature, even organizations with strong perimeter defenses may be vulnerable if they rely on EmEditor for critical operations. The medium severity rating reflects the moderate ease of exploitation combined with the potential for significant confidentiality and integrity impacts. Disruption of business processes or exposure of sensitive data could have regulatory and reputational consequences under GDPR and other European data protection laws.
Mitigation Recommendations
European organizations should implement a multi-layered defense strategy tailored to this threat. First, verify the authenticity of EmEditor software installations and updates by obtaining them only from official sources and validating digital signatures. Monitor network traffic for connections to the identified malicious domains and IP addresses, blocking them at the firewall or DNS level. Deploy endpoint detection and response (EDR) solutions capable of detecting suspicious PowerShell activity, including script execution and command anomalies. Conduct user awareness training focused on recognizing phishing attempts and the risks of visiting unofficial or suspicious websites. Implement strict application whitelisting to prevent unauthorized PowerShell scripts from running. Regularly audit and update domain name system (DNS) filtering policies to detect and block domain masquerading attempts. Employ threat intelligence feeds to stay updated on new indicators related to this campaign. Finally, establish incident response procedures to quickly isolate and remediate infected systems, including forensic analysis of PowerShell logs and network connections. Organizations should also consider engaging with software vendors to confirm supply chain integrity and apply any forthcoming patches or mitigations.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain
Indicators of Compromise
- hash: b97d5024adab17ceffe134f9ea877bf5
- hash: d3c0ea5bc904ae05c509b3b6de72e1c8
- hash: ceb31976b8040cad5d5db3856466d198d3c0ea5bc904ae05c509b3b6de72e1c8
- ip: 5.101.82.118
- ip: 5.101.82.159
- ip: 64.188.83.146
- domain: cachingdrive.com
- domain: emeditorde.com
- domain: emeditorgb.com
- domain: emeditorjapan.com
- domain: emeditorjp.com
- domain: emeditorltd.com
- domain: emedjp.com
- domain: emedorg.com
- domain: keyactivate.cc
- domain: nc7d8p7u8j3n4hgm.com
Investigation on the EmEditor Supply Chain Cyberattack
Description
A recent supply chain attack targeting EmEditor users has been uncovered, involving watering hole tactics. The investigation reveals multiple domains masquerading as EmEditor-related sites, all registered through NameSilo LLC in December 2025. The domains resolve to various IP addresses, with some changes observed in February 2026. Additional domains with similar patterns were discovered, along with peculiar HTTP header behavior. A potential early stage of the campaign was identified, sharing similar characteristics with the initial report. The attackers continued their activities even after exposure, utilizing PowerShell scripts and various domains for command and control purposes. The analysis provides a comprehensive list of indicators, including domain names, IP addresses, and file hashes associated with the attack.
AI-Powered Analysis
Technical Analysis
This threat involves a sophisticated supply chain attack targeting users of EmEditor, a text editor software. The attackers employed watering hole tactics by registering multiple domains that closely mimic legitimate EmEditor-related sites, all registered through the registrar NameSilo LLC in December 2025. These domains resolve to various IP addresses, some of which changed in February 2026, indicating active operational adjustments by the threat actors. The campaign includes an early stage with similar characteristics, suggesting a prolonged and evolving attack. Attackers utilize PowerShell scripts for payload execution and command and control (C2) communications, leveraging multiple domains to maintain persistence and evade detection. The HTTP headers observed during the investigation showed peculiar behavior, possibly to fingerprint or evade security controls. The campaign’s indicators include specific malicious domain names such as emeditorde.com, emeditorgb.com, and emeditorjp.com, IP addresses like 5.101.82.118 and 64.188.83.146, and file hashes associated with malicious payloads. The attack techniques align with MITRE ATT&CK tactics T1583 (Acquire Infrastructure), T1584 (Compromise Infrastructure), T1102 (Web Service), T1059.001 (PowerShell), and T1566 (Phishing). Despite no known exploits in the wild or CVE identifiers, the supply chain nature and continued attacker activity post-exposure highlight the threat's sophistication and potential impact. The campaign’s persistence and use of masquerading domains increase the risk of successful compromise of EmEditor users, potentially leading to data exfiltration or further network intrusion.
Potential Impact
For European organizations, this supply chain attack poses a significant risk due to the widespread use of EmEditor in various sectors including government, finance, and technology. Compromise through this vector could lead to unauthorized access, data theft, or lateral movement within networks. The watering hole and domain masquerading tactics increase the likelihood of successful phishing or drive-by download attacks, especially if users access compromised or fake EmEditor-related websites. PowerShell-based payloads can bypass traditional antivirus solutions, enabling stealthy execution of malicious code. The persistence of the attackers even after exposure suggests that affected organizations may face prolonged intrusion and data compromise risks. Given the supply chain nature, even organizations with strong perimeter defenses may be vulnerable if they rely on EmEditor for critical operations. The medium severity rating reflects the moderate ease of exploitation combined with the potential for significant confidentiality and integrity impacts. Disruption of business processes or exposure of sensitive data could have regulatory and reputational consequences under GDPR and other European data protection laws.
Mitigation Recommendations
European organizations should implement a multi-layered defense strategy tailored to this threat. First, verify the authenticity of EmEditor software installations and updates by obtaining them only from official sources and validating digital signatures. Monitor network traffic for connections to the identified malicious domains and IP addresses, blocking them at the firewall or DNS level. Deploy endpoint detection and response (EDR) solutions capable of detecting suspicious PowerShell activity, including script execution and command anomalies. Conduct user awareness training focused on recognizing phishing attempts and the risks of visiting unofficial or suspicious websites. Implement strict application whitelisting to prevent unauthorized PowerShell scripts from running. Regularly audit and update domain name system (DNS) filtering policies to detect and block domain masquerading attempts. Employ threat intelligence feeds to stay updated on new indicators related to this campaign. Finally, establish incident response procedures to quickly isolate and remediate infected systems, including forensic analysis of PowerShell logs and network connections. Organizations should also consider engaging with software vendors to confirm supply chain integrity and apply any forthcoming patches or mitigations.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack"]
- Adversary
- null
- Pulse Id
- 6989f4a0761d0f153bbb94e4
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashb97d5024adab17ceffe134f9ea877bf5 | — | |
hashd3c0ea5bc904ae05c509b3b6de72e1c8 | — | |
hashceb31976b8040cad5d5db3856466d198d3c0ea5bc904ae05c509b3b6de72e1c8 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip5.101.82.118 | — | |
ip5.101.82.159 | — | |
ip64.188.83.146 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaincachingdrive.com | — | |
domainemeditorde.com | — | |
domainemeditorgb.com | — | |
domainemeditorjapan.com | — | |
domainemeditorjp.com | — | |
domainemeditorltd.com | — | |
domainemedjp.com | — | |
domainemedorg.com | — | |
domainkeyactivate.cc | — | |
domainnc7d8p7u8j3n4hgm.com | — |
Threat ID: 698a44134b57a58fa16f31e9
Added to database: 2/9/2026, 8:31:15 PM
Last enriched: 2/9/2026, 8:46:11 PM
Last updated: 2/12/2026, 1:07:33 AM
Views: 100
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
The game is over: when “free” comes at too high a price. What we know about RenEngine
MediumA Peek Into Muddled Libra's Operational Playbook
MediumSilent Push Traffic Origin Data Combined with Residential Proxy Data Uncovers Suspicious Chinese VPN
MediumCryptocurrency Sector Targeted with New Tooling and AI-Enabled Social Engineering
MediumA security alert regarding APT-C-28 (ScarCruft) using MiradorShell to launch a cyberattack.
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.