A recent supply chain attack targeting EmEditor users has been uncovered, involving watering hole tactics. The investigation reveals multiple domains masquerading as EmEditor-related sites, all registered through NameSilo LLC in December 2025. The domains resolve to various IP addresses, with some changes observed in February 2026. Additional domains with similar patterns were discovered, along with peculiar HTTP header behavior. A potential early stage of the campaign was identified, sharing similar characteristics with the initial report. The attackers continued their activities even after exposure, utilizing PowerShell scripts and various domains for command and control purposes. The analysis provides a comprehensive list of indicators, including domain names, IP addresses, and file hashes associated with the attack.