A compromised installer for EmEditor, a text editor trusted by developers worldwide, has been used to push sophisticated malware, according to TrendAI Research. The campaign hijacked the official download page of the U.S.-based vendor, serving a trojanised MSI package that can steal credentials and enable lateral movement across victim networks.
The infection begins when the compromised installer is run, with the MSI’s CustomAction script spawning a PowerShell command to retrieve its first-stage code from a deceptive URL, EmEditorjp[.]com; this payload then connects to additional command-and-control servers, EmEditorgb[.]com and EmEditorde[.]com, to download the main modules.
The malware performs fingerprinting and enforces a geofencing check that terminates the infection if the victim is in Armenia, Belarus, Georgia, Kazakhstan, or Kyrgyzstan, a detail suggesting a CIS/Russian-origin pattern. Its capabilities include credential theft, defence evasion by disabling PowerShell ETW, and lateral movement for follow-on intrusion, with activity described as deferred until after installation to extend dwell time. Organisations are urged to monitor logs for traffic to the identified domains and verify EmEditor installers downloaded in late December 2025.