EmEditor Compromised: “WALSHAM” Imposter Poisons Official Installer with Spyware
Ddos 
In a major supply chain security incident, the popular text editor EmEditor has confirmed that its official download channels were compromised just days before Christmas. A new detailed analysis by Qianxin Threat Intelligence Center’s RedDrip Team reveals that for nearly four days, unsuspecting developers and IT professionals were downloading a sophisticated information-stealing trojan instead of their trusted text editor.
The incident, which occurred between December 19 and December 22, 2025, involved a stealthy redirection of the official download button to a malicious file hosted on a compromised path.
According to the official announcement released on December 23, the attackers managed to tamper with the website’s redirection settings. Users clicking the “Download Now” button were unknowingly served a malicious MSI installer.
The most glaring red flag was the digital signature. While legitimate EmEditor software is signed by “Emurasoft, Inc.”, the malicious files bore the signature of “WALSHAM INVESTMENTS LIMITED”.
“The MSI installation packages were replaced with malicious ones signed with a non-official signature ‘WALSHAM INVESTMENTS LIMITED’,” the report states.
The malware concealed within the installer was far more than a simple downloader. It functioned as a comprehensive vacuum for sensitive data. Once executed, the malicious MSI launched an embedded script that triggered a PowerShell command, stealthily collecting system information and generating an RSA key to encrypt stolen loot.
The scope of the theft was massive. The malware targeted:
- VPN Configurations: Stealing access credentials.
- Browser Data: Harvesting cookies, history, and login data from Chrome, Edge, Brave, and Opera.
- Application Credentials: Looting data from Zoho Mail, Evernote, Discord, Slack, Zoom, WinSCP, and PuTTY.
- Files: Exfiltrating documents from the Desktop, Documents, and Downloads folders.
Perhaps the most sophisticated aspect of the attack was its persistence mechanism. To maintain long-term access, the malware installed a malicious browser extension named “Google Drive Caching” (ID: ngahobakhbdpmokneiohlfofdmgpakd).
“Ultimately, it installs a browser extension for persistence, named ‘Google Drive Caching,’ which is a fully-featured information-stealing malware,” the RedDrip Team noted.
This extension was a Swiss Army knife for cyberespionage. It possessed modules for keylogging, taking screenshots, stealing Facebook advertising accounts, and even clipboard hijacking to replace cryptocurrency wallet addresses with those controlled by the attackers.
In a telling clue about the threat actor’s origins or rules of engagement, the malware included a strict “do not infect” list. The script checked the victim’s system language and would self-terminate if it detected locales associated with former Soviet states or Iran.
“If it belongs to one of the following countries (covering former Soviet regions and Iran), execution terminates,” the report explains, listing codes such as RU (Russia), UA (Ukraine), KZ (Kazakhstan), and IR (Iran).
Given EmEditor’s popularity among developers and operations personnel in China and globally, the RedDrip Team assesses this as a high-risk event for enterprise and government institutions.
“Considering the subsequent payload is information-stealing malware, a comprehensive assessment indicates this incident poses a large-scale potential threat to related government and enterprise institutions”.
Security teams are advised to check for the presence of the “WALSHAM INVESTMENTS LIMITED” certificate and the “Google Drive Caching” extension immediately.
Donate