Watering Hole Attack Targets EmEditor Users with Information-Stealing Malware

    Friday, January 23, 2026 In: Threat Research Print

    Date: 01/23/2026

    Severity: High

    Summary

    A software supply chain attack targeted users of EmEditor by distributing a compromised installer that delivered multistage information-stealing malware. The malicious installer enabled credential theft, data exfiltration, and lateral movement, while delaying execution of malicious behavior to evade early detection. This campaign highlights the risk posed by trusted third-party software distributed via public download channels and the need to closely monitor activity originating from legitimate developer tools and installers.

    Indicators of Compromise (IOC) List 

    URLs/Domain

    EmEditorjp.com 

    EmEditorgb.com/run/mg8heP0r

    EmEditorde.com/gate/start/2daef8cd

    https://cachingdrive.com/gate/init/2daef8cd

    Hash

    e5678fd66ac09205f55dc4fae9601185a76b2f50

    a3ab5e58a9330dd673dec17777e5110bf3c9eba3

    65b0853abb656c6cc342d87b872fbe21482e9bae

    938325004e44ab1a65e948b4d07b05229309f630

    ff78a86746bdcc6ed1390ff291a6c599e96e8487

    e5678fd66ac09205f55dc4fae9601185a76b2f50

    4bea333d3d2f2a32018cd6afe742c3b25bfcc6bfe8963179dad3940305b13c98

    3d1763b037e66bbde222125a21b23fc24abd76ebab40589748ac69e2f37c27fc

    4bea333d3d2f2a32018cd6afe742c3b25bfcc6bfe8963179dad3940305b13c98

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://cachingdrive.com/gate/init/2daef8cd" or url like "https://cachingdrive.com/gate/init/2daef8cd" or siteurl like "https://cachingdrive.com/gate/init/2daef8cd" or domainname like "EmEditorjp.com" or url like "EmEditorjp.com" or siteurl like "EmEditorjp.com" or domainname like "EmEditorgb.com/run/mg8heP0r" or siteurl like "EmEditorgb.com/run/mg8heP0r" or url like "EmEditorgb.com/run/mg8heP0r" or domainname like "EmEditorde.com/gate/start/2daef8cd" or siteurl like "EmEditorde.com/gate/start/2daef8cd" or url like "EmEditorde.com/gate/start/2daef8cd"

    Detection Query 2 :

    sha1hash IN ("ff78a86746bdcc6ed1390ff291a6c599e96e8487","e5678fd66ac09205f55dc4fae9601185a76b2f50","a3ab5e58a9330dd673dec17777e5110bf3c9eba3","65b0853abb656c6cc342d87b872fbe21482e9bae","938325004e44ab1a65e948b4d07b05229309f630")

    Detection Query 3 :

    sha256hash IN ("4bea333d3d2f2a32018cd6afe742c3b25bfcc6bfe8963179dad3940305b13c98","3d1763b037e66bbde222125a21b23fc24abd76ebab40589748ac69e2f37c27fc")

    Reference:

    https://www.trendmicro.com/en_us/research/26/a/watering-hole-attack-targets-emeditor-users.html


    Tags

    MalwareInfostealerCredentialTheftExfiltration

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.