The investigation into the EmEditor supply chain attack, highlighted in a report by Trend Micro, revolves around a rare type of cyber threat known as a watering hole attack, which specifically targets users of the EmEditor software. This tactic typically involves compromising websites frequented by the intended victims to serve malicious content or payloads. During the analysis phase, passive DNS resolution techniques were employed to trace additional IPs associated with the attack. The initial examination did not reveal any further URLs directly related to the command and control (C2) server identified by Trend Micro, which was http://cachingdrive.com, particularly the URL path "/gate/init". However, the investigation led to the discovery of a different domain with the path "/gate/start/", linked to a suspicious URL: hxxp://nc7d8p7u8j3n4hgm.com/gate/start/efeb550a. This suggests a potential expansion of the attack's infrastructure or alternative entry points.