The Editor’s Trap: EmEditor Hijacked to Deploy Stealthy “Google Drive” Infostealer
In late December, an unwelcome supply-chain surprise erupted around the popular text editor EmEditor. According to the developer, between December 19 and 22, 2025, the download button on the official website may have served not the genuine installer, but a tampered MSI file bearing an чужая digital signature. Instead of Emurasoft, Inc., the suspicious file was signed by WALSHAM INVESTMENTS LIMITED—an immediate red flag for anyone who downloaded the installer during that window.
EmEditor issued an official notice on December 23, explaining that during this “risk window,” the redirection behind the Download Now button was likely altered by a third party, potentially delivering a file not originating from Emurasoft. The company urged users to verify the digital signature and hash of emed64_25.4.3.msi and stressed that updates via EmEditor’s built-in updater, direct downloads from download.emeditor.info, the portable edition, store versions, and installations via winget were not affected.
Almost simultaneously, the Chinese security research team QiAnXin (奇安信) reported that they had observed the same incident within their threat intelligence feeds, intercepted the continuation of the attack chain, and reconstructed what they believe to be the full malicious payload. Their reasoning is straightforward: EmEditor is favored by technical professionals—developers, administrators, and operations engineers—making a single compromised installer a potentially powerful foothold for organizational data breaches.
According to QiAnXin, the malicious MSI contained a script that executed PowerShell commands, beginning by suppressing logging to complicate forensic analysis. It then collected basic system information—operating system version, username, and other parameters—and generated an RSA key to encrypt the stolen data. The initial data exfiltration, researchers claim, was sent to a command-and-control server masquerading as a legitimate EmEditor domain: emeditorgb.com, with a unique victim identifier embedded in the request.
What followed was a familiar routine for modern infostealers. The report describes enumeration of files on the desktop and within the Documents and Downloads folders, harvesting VPN configurations, attempts to extract Windows credentials, and the plundering of browser assets—cookies, saved logins, and profile settings. The malware also targeted a wide array of popular applications and services, including Zoho Mail, Evernote, Notion, Discord, Slack, Mattermost, Skype, LiveChat, Microsoft Teams, Zoom, WinSCP, PuTTY, Steam, Telegram, and others. Screen capture was included as well, with the collected data allegedly bundled into an archive named array.bin.
A noteworthy detail highlighted by the researchers is a pre-execution language check: before proceeding with its final stages, the malware examined the system language and terminated itself if it detected “undesirable” regions. The list reportedly included countries of the former Soviet Union and Iran—a common tactic among threat actors to reduce exposure and avoid drawing attention from local authorities.
For persistence, QiAnXin reports that the attack chain installed a browser extension innocuously named Google Drive Caching. This extension was designed to maintain long-term access and continue data theft. It could collect detailed device fingerprints (CPU, GPU, memory size, screen resolution, time zone), exfiltrate cookies, browsing history, extension lists, and bookmarks, and even capture keystrokes. The report emphasizes features that resemble a cybercriminal’s Swiss Army knife: cryptocurrency address substitution (with claimed support for more than 30 asset types), theft of Facebook Ads data, and a suite of remote-control commands ranging from taking screenshots and reading local files to opening URLs and executing arbitrary JavaScript within pages.
The extension’s initial command-and-control endpoint is said to be cachingdrive.com, with a fallback domain generation algorithm (DGA) that rotates weekly. The intent is clear: even if one domain is quickly taken down, the infrastructure can survive takedowns and relocate to new control points with minimal disruption.
The practical takeaway is uncomfortably universal: even a familiar “text editing” utility can become an entry point if its distribution is compromised. If you installed EmEditor between December 19 and 22, 2025, specifically via the Download Now button on the official site, it is prudent to treat the situation with utmost seriousness—verify the installer’s signature and hash, conduct a full system scan, and scrutinize browser data and corporate messaging tools in particular, as these are prime targets for such campaigns.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
