{ "type": "Domain", "indicator": "emeditorde.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/emeditorde.com", "alexa": "http://www.alexa.com/siteinfo/emeditorde.com", "indicator": "emeditorde.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4169116935, "indicator": "emeditorde.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "6989f4a0761d0f153bbb94e4", "name": "Investigation on the EmEditor Supply Chain Cyberattack", "description": "A recent supply chain attack targeting EmEditor users has been uncovered, involving watering hole tactics. The investigation reveals multiple domains masquerading as EmEditor-related sites, all registered through NameSilo LLC in December 2025. The domains resolve to various IP addresses, with some changes observed in February 2026. Additional domains with similar patterns were discovered, along with peculiar HTTP header behavior. A potential early stage of the campaign was identified, sharing similar characteristics with the initial report. The attackers continued their activities even after exposure, utilizing PowerShell scripts and various domains for command and control purposes. The analysis provides a comprehensive list of indicators, including domain names, IP addresses, and file hashes associated with the attack.", "modified": "2026-03-11T14:03:26.774000", "created": "2026-02-09T14:52:16.312000", "tags": [ "powershell", "supply chain attack", "emeditor", "command and control", "domain masquerading", "watering hole" ], "references": [ "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA256": 1, "domain": 10 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 386653, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69735fdc6006a7c4a9748eb3", "name": "Watering Hole Attack Targets EmEditor Users With Information-Stealing Malware", "description": "A compromised EmEditor installer was used in a software supply chain attack to deliver multistage malware. The attack, discovered in late December 2025, targeted users of this widely-used text editor. The malware performs credential theft, data exfiltration, and enables lateral movement. It uses obfuscated PowerShell scripts and geofencing techniques, suggesting possible Russian origin. The malware disables security features, gathers system information, and exfiltrates data to a command-and-control server. This incident highlights the importance of validating installer integrity, monitoring PowerShell usage, preserving endpoint telemetry, and enforcing least privilege principles. Software publishers are advised to secure download infrastructure and prepare incident response plans.", "modified": "2026-01-23T22:53:38.943000", "created": "2026-01-23T11:47:40.016000", "tags": [ "evelyn stealer", "watering hole", "emeditor", "powershell", "software supply chain", "multistage malware", "geofencing", "information stealing" ], "references": [ "https://www.trendmicro.com/en_us/research/26/a/watering-hole-attack-targets-emeditor-users.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Japan", "Russian Federation" ], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 7, "FileHash-SHA256": 3, "domain": 4 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 386654, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c2cef0b65bce5b92b124a0", "name": "When Trust Becomes the Attack Vector: Analysis of the EmEditor Supply-Chain Compromise", "description": "The EmEditor supply-chain compromise showcases a sophisticated attack where threat actors leveraged a trusted software distribution channel to execute malicious actions. Rather than traditional phishing methods, the attackers exploited a trusted WordPress-based download infrastructure, manipulating conditional server-side logic to deliver a trojanized Microsoft Installer (MSI) to specific users while allowing legitimate content for administrators. This approach highlights an evolving tactic in cyber threats, focusing on eroding trust at the source rather than exploiting direct vulnerabilities.", "modified": "2026-04-23T17:27:31.611000", "created": "2026-03-24T17:50:40.888000", "tags": [ "strong", "msi installer", "sha256", "ip address", "hosting ip", "compromise", "emeditor", "copilot", "filename", "timestamp", "malicious", "powershell", "twitter", "bluesky" ], "references": [ "https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/when-trust-becomes-the-attack-vector-analysis-of-the-emeditor-supply-chain-compr/4499552" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 5, "domain": 5 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69979ddcdbba1952fb51a3de", "name": "EbeeFeb2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-21T23:07:14.518000", "created": "2026-02-19T23:33:48.858000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20261281 cve", "uxxxxxx" ], "references": [ "IOCs2.csv" ], "public": 1, "adversary": "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "CVE": 7, "FileHash-MD5": 193, "FileHash-SHA1": 148, "FileHash-SHA256": 205, "domain": 203, "hostname": 63 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "71 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699322538f5f568e2b4a5ada", "name": "Investigation on the EmEditor Supply Chain attack", "description": "The investigation into the EmEditor supply chain attack, highlighted in a report by Trend Micro, revolves around a rare type of cyber threat known as a watering hole attack, which specifically targets users of the EmEditor software. This tactic typically involves compromising websites frequented by the intended victims to serve malicious content or payloads.\n\nDuring the analysis phase, passive DNS resolution techniques were employed to trace additional IPs associated with the attack. The initial examination did not reveal any further URLs directly related to the command and control (C2) server identified by Trend Micro, which was http://cachingdrive.com, particularly the URL path \"/gate/init\". However, the investigation led to the discovery of a different domain with the path \"/gate/start/\", linked to a suspicious URL: hxxp://nc7d8p7u8j3n4hgm.com/gate/start/efeb550a. This suggests a potential expansion of the attack's infrastructure or alternative entry points.", "modified": "2026-03-18T13:03:51.671000", "created": "2026-02-16T13:57:39.133000", "tags": [ "emeditor supply", "chain attack" ], "references": [ "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 5, "domain": 11, "hostname": 1 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "74 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698c4f02712e4743d0aa2263", "name": "EbeeFeb2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T09:42:26.929000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "redacted" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 159, "FileHash-SHA1": 186, "FileHash-SHA256": 256, "CVE": 4, "URL": 49, "domain": 98, "hostname": 46 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "80 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698ab634eeb2333f0dd6ea59", "name": "Investigation on the EmEditor Supply Chain Cyberattack", "description": "", "modified": "2026-03-11T14:03:26.774000", "created": "2026-02-10T04:38:12.735000", "tags": [ "powershell", "supply chain attack", "emeditor", "command and control", "domain masquerading", "watering hole" ], "references": [ "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "6989f4a0761d0f153bbb94e4", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA256": 1, "domain": 10 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697db209bee23fd3f708fc91", "name": "Inside the EmEditor supply chain compromise", "description": "The supply chain compromise involving EmEditor illustrates sophisticated tactics employed by threat actors to manipulate software distribution. The attack unfolded in two primary phases, marked by strategic preparatory actions and the subsequent exploitation of a legitimate distribution mechanism. Initially, attackers registered look-alike command-and-control (C2) domains shortly before breaching the website and tampering with the installer downloads. Specifically, on December 19, the attackers redirected the 'Download Now' button to a backdoored installer instead of the authentic version, which was finalized prior to this date. The attackers resurfaced on December 29 to target a new version of the software, again employing freshly registered domains and signing installers with the intent to mislead users.", "modified": "2026-03-02T07:00:45.453000", "created": "2026-01-31T07:40:57.335000", "tags": [ "figure", "december", "find evil", "msi installer", "patchfile", "spectra assure", "report", "c2 domain", "spectra analyze", "compound file", "download", "april", "powershell", "encrypt", "nuget" ], "references": [ "https://www.reversinglabs.com/blog/emeditor-supply-chain-compromise" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 24, "URL": 5, "domain": 23 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "91 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697a9015a6b6986b45485d39", "name": "EbeeJan2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-27T22:03:31.816000", "created": "2026-01-28T22:39:17.725000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "PhantomCore, Campaign Targeting Leveraging VS Code, Watering Hole Attack Targets EmEditor Users", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 212, "FileHash-SHA1": 212, "FileHash-SHA256": 338, "URL": 16, "domain": 109, "email": 7, "hostname": 83 }, "indicator_count": 980, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6953821dc4dee11db477385b", "name": "EmEditor Supply Chain Incident Details Disclosed: Distribution of Information-Stealing Malware Sweeps Through Domestic Government and Enterprise Entities", "description": "A report by Qianxin Threat Intelligence Center on an incident involving the renowned document editor EmEditor reveals details of a large-scale information-stealing malware attack on the Chinese government and enterprise institutions.", "modified": "2026-01-29T07:03:28.109000", "created": "2025-12-30T07:41:17.644000", "tags": [ "china" ], "references": [ "https://ti.qianxin.com/blog/articles/emeditor-supply-chain-incident-details-disclosed-en/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 4, "domain": 16 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6976fb0a23604099e1df078b", "name": "Watering Hole Attack Targets EmEditor Users With Information-Stealing Malware", "description": "", "modified": "2026-01-26T05:26:34.017000", "created": "2026-01-26T05:26:34.017000", "tags": [ "evelyn stealer", "watering hole", "emeditor", "powershell", "software supply chain", "multistage malware", "geofencing", "information stealing" ], "references": [ "https://www.trendmicro.com/en_us/research/26/a/watering-hole-attack-targets-emeditor-users.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Japan", "Russian Federation" ], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": "69735fdc6006a7c4a9748eb3", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 7, "FileHash-SHA256": 3, "domain": 4 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "126 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "694e2c49ed072c432675e32d", "name": "IOC - EmEditor \u4f9b\u5e94\u94fe\u4e8b\u4ef6\u7ec6\u8282\u62ab\u9732\uff1a\u5206\u53d1\u7a83\u5bc6\u7279\u9a6c\u5e2d\u5377\u56fd\u5185\u653f\u4f01", "description": "2025 \u5e74 12 \u6708 23 \u65e5\uff0c\u8457\u540d\u6587\u6863\u7f16\u8f91\u5668 EmEditor \u5b98\u65b9\u53d1\u5e03\u516c\u544a\uff0c\u79f0 12 \u6708\u4efd 19 \u65e5\u81f3 22 \u65e5\u671f\u95f4\u5b98\u7f51\u5b89\u88c5\u5305\u88ab\u4f9b\u5e94\u94fe\u653b\u51fb\uff0cMSI \u5b89\u88c5\u5305\u88ab\u66ff\u6362\u6210\u5e26\u6709\u975e\u5b98\u65b9\u7b7e\u540d\u300aWALSHAM INVESTMENTS LIMITED\u300b\u7684\u6076\u610f\u5b89\u88c5\u5305", "modified": "2026-01-25T06:00:36.391000", "created": "2025-12-26T06:33:45.622000", "tags": [], "references": [ "https://mp.weixin.qq.com/s?src=11×tamp=1766729918&ver=6441&signature=35xPV-1b3b*nXM*Zw7KuenkkqR3NK51dxS9mhLcq9LYWy5nvFWA0ju*Ee432-zQik1e-LRKdGQGpVeBjfIy5WAe6cbaUP5TiYUyfpmC0hpVCmTMpoasRhSVUzG833iH2&new=1" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "URL": 3, "domain": 15 }, "indicator_count": 20, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "127 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.trendmicro.com/en_us/research/26/a/watering-hole-attack-targets-emeditor-users.html", "https://mp.weixin.qq.com/s?src=11×tamp=1766729918&ver=6441&signature=35xPV-1b3b*nXM*Zw7KuenkkqR3NK51dxS9mhLcq9LYWy5nvFWA0ju*Ee432-zQik1e-LRKdGQGpVeBjfIy5WAe6cbaUP5TiYUyfpmC0hpVCmTMpoasRhSVUzG833iH2&new=1", "https://www.reversinglabs.com/blog/emeditor-supply-chain-compromise", "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack", "IOCs.csv", "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack/", "https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/when-trust-becomes-the-attack-vector-analysis-of-the-emeditor-supply-chain-compr/4499552", "IOCs2.csv", "https://ti.qianxin.com/blog/articles/emeditor-supply-chain-incident-details-disclosed-en/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [ "Technology" ] }, "other": { "adversary": [ "PhantomCore, Campaign Targeting Leveraging VS Code, Watering Hole Attack Targets EmEditor Users", "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer", "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R" ], "malware_families": [], "industries": [ "Technology" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "6989f4a0761d0f153bbb94e4", "name": "Investigation on the EmEditor Supply Chain Cyberattack", "description": "A recent supply chain attack targeting EmEditor users has been uncovered, involving watering hole tactics. The investigation reveals multiple domains masquerading as EmEditor-related sites, all registered through NameSilo LLC in December 2025. The domains resolve to various IP addresses, with some changes observed in February 2026. Additional domains with similar patterns were discovered, along with peculiar HTTP header behavior. A potential early stage of the campaign was identified, sharing similar characteristics with the initial report. The attackers continued their activities even after exposure, utilizing PowerShell scripts and various domains for command and control purposes. The analysis provides a comprehensive list of indicators, including domain names, IP addresses, and file hashes associated with the attack.", "modified": "2026-03-11T14:03:26.774000", "created": "2026-02-09T14:52:16.312000", "tags": [ "powershell", "supply chain attack", "emeditor", "command and control", "domain masquerading", "watering hole" ], "references": [ "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA256": 1, "domain": 10 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 386653, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69735fdc6006a7c4a9748eb3", "name": "Watering Hole Attack Targets EmEditor Users With Information-Stealing Malware", "description": "A compromised EmEditor installer was used in a software supply chain attack to deliver multistage malware. The attack, discovered in late December 2025, targeted users of this widely-used text editor. The malware performs credential theft, data exfiltration, and enables lateral movement. It uses obfuscated PowerShell scripts and geofencing techniques, suggesting possible Russian origin. The malware disables security features, gathers system information, and exfiltrates data to a command-and-control server. This incident highlights the importance of validating installer integrity, monitoring PowerShell usage, preserving endpoint telemetry, and enforcing least privilege principles. Software publishers are advised to secure download infrastructure and prepare incident response plans.", "modified": "2026-01-23T22:53:38.943000", "created": "2026-01-23T11:47:40.016000", "tags": [ "evelyn stealer", "watering hole", "emeditor", "powershell", "software supply chain", "multistage malware", "geofencing", "information stealing" ], "references": [ "https://www.trendmicro.com/en_us/research/26/a/watering-hole-attack-targets-emeditor-users.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Japan", "Russian Federation" ], "malware_families": [], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1518", "name": "Software Discovery", "display_name": "T1518 - Software Discovery" } ], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 22, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 7, "FileHash-SHA256": 3, "domain": 4 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 386654, "modified_text": "128 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69c2cef0b65bce5b92b124a0", "name": "When Trust Becomes the Attack Vector: Analysis of the EmEditor Supply-Chain Compromise", "description": "The EmEditor supply-chain compromise showcases a sophisticated attack where threat actors leveraged a trusted software distribution channel to execute malicious actions. Rather than traditional phishing methods, the attackers exploited a trusted WordPress-based download infrastructure, manipulating conditional server-side logic to deliver a trojanized Microsoft Installer (MSI) to specific users while allowing legitimate content for administrators. This approach highlights an evolving tactic in cyber threats, focusing on eroding trust at the source rather than exploiting direct vulnerabilities.", "modified": "2026-04-23T17:27:31.611000", "created": "2026-03-24T17:50:40.888000", "tags": [ "strong", "msi installer", "sha256", "ip address", "hosting ip", "compromise", "emeditor", "copilot", "filename", "timestamp", "malicious", "powershell", "twitter", "bluesky" ], "references": [ "https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/when-trust-becomes-the-attack-vector-analysis-of-the-emeditor-supply-chain-compr/4499552" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 5, "domain": 5 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "38 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69979ddcdbba1952fb51a3de", "name": "EbeeFeb2026 Pt4", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-21T23:07:14.518000", "created": "2026-02-19T23:33:48.858000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1", "cve20261281 cve", "uxxxxxx" ], "references": [ "IOCs2.csv" ], "public": 1, "adversary": "Cephalus Ransomware, Transparent Tribe, CRESCENTHARVEST, Keenadu, Cloudflare Pages \"Continue Read\" R", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 57, "CVE": 7, "FileHash-MD5": 193, "FileHash-SHA1": 148, "FileHash-SHA256": 205, "domain": 203, "hostname": 63 }, "indicator_count": 876, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "71 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "699322538f5f568e2b4a5ada", "name": "Investigation on the EmEditor Supply Chain attack", "description": "The investigation into the EmEditor supply chain attack, highlighted in a report by Trend Micro, revolves around a rare type of cyber threat known as a watering hole attack, which specifically targets users of the EmEditor software. This tactic typically involves compromising websites frequented by the intended victims to serve malicious content or payloads.\n\nDuring the analysis phase, passive DNS resolution techniques were employed to trace additional IPs associated with the attack. The initial examination did not reveal any further URLs directly related to the command and control (C2) server identified by Trend Micro, which was http://cachingdrive.com, particularly the URL path \"/gate/init\". However, the investigation led to the discovery of a different domain with the path \"/gate/start/\", linked to a suspicious URL: hxxp://nc7d8p7u8j3n4hgm.com/gate/start/efeb550a. This suggests a potential expansion of the attack's infrastructure or alternative entry points.", "modified": "2026-03-18T13:03:51.671000", "created": "2026-02-16T13:57:39.133000", "tags": [ "emeditor supply", "chain attack" ], "references": [ "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 3, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 5, "domain": 11, "hostname": 1 }, "indicator_count": 23, "is_author": false, "is_subscribing": null, "subscriber_count": 539, "modified_text": "74 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698c4f02712e4743d0aa2263", "name": "EbeeFeb2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-03-13T09:35:12.591000", "created": "2026-02-11T09:42:26.929000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "redacted" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "ShadowHS, DynoWiper, Operation Neusploit, Fake CAPTCHA App-V LOLBIN delivering Amatera Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 159, "FileHash-SHA1": 186, "FileHash-SHA256": 256, "CVE": 4, "URL": 49, "domain": 98, "hostname": 46 }, "indicator_count": 798, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "80 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "698ab634eeb2333f0dd6ea59", "name": "Investigation on the EmEditor Supply Chain Cyberattack", "description": "", "modified": "2026-03-11T14:03:26.774000", "created": "2026-02-10T04:38:12.735000", "tags": [ "powershell", "supply chain attack", "emeditor", "command and control", "domain masquerading", "watering hole" ], "references": [ "https://www.stormshield.com/news/investigation-on-the-emeditor-supply-chain-attack" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1584", "name": "Compromise Infrastructure", "display_name": "T1584 - Compromise Infrastructure" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" } ], "industries": [], "TLP": "white", "cloned_from": "6989f4a0761d0f153bbb94e4", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA256": 1, "domain": 10 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "81 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697db209bee23fd3f708fc91", "name": "Inside the EmEditor supply chain compromise", "description": "The supply chain compromise involving EmEditor illustrates sophisticated tactics employed by threat actors to manipulate software distribution. The attack unfolded in two primary phases, marked by strategic preparatory actions and the subsequent exploitation of a legitimate distribution mechanism. Initially, attackers registered look-alike command-and-control (C2) domains shortly before breaching the website and tampering with the installer downloads. Specifically, on December 19, the attackers redirected the 'Download Now' button to a backdoored installer instead of the authentic version, which was finalized prior to this date. The attackers resurfaced on December 29 to target a new version of the software, again employing freshly registered domains and signing installers with the intent to mislead users.", "modified": "2026-03-02T07:00:45.453000", "created": "2026-01-31T07:40:57.335000", "tags": [ "figure", "december", "find evil", "msi installer", "patchfile", "spectra assure", "report", "c2 domain", "spectra analyze", "compound file", "download", "april", "powershell", "encrypt", "nuget" ], "references": [ "https://www.reversinglabs.com/blog/emeditor-supply-chain-compromise" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1583.001", "name": "Domains", "display_name": "T1583.001 - Domains" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 5, "FileHash-SHA1": 5, "FileHash-SHA256": 24, "URL": 5, "domain": 23 }, "indicator_count": 62, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "91 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697a9015a6b6986b45485d39", "name": "EbeeJan2026 Pt5", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-02-27T22:03:31.816000", "created": "2026-01-28T22:39:17.725000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "IOCs.csv" ], "public": 1, "adversary": "PhantomCore, Campaign Targeting Leveraging VS Code, Watering Hole Attack Targets EmEditor Users", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 3, "FileHash-MD5": 212, "FileHash-SHA1": 212, "FileHash-SHA256": 338, "URL": 16, "domain": 109, "email": 7, "hostname": 83 }, "indicator_count": 980, "is_author": false, "is_subscribing": null, "subscriber_count": 43, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6953821dc4dee11db477385b", "name": "EmEditor Supply Chain Incident Details Disclosed: Distribution of Information-Stealing Malware Sweeps Through Domestic Government and Enterprise Entities", "description": "A report by Qianxin Threat Intelligence Center on an incident involving the renowned document editor EmEditor reveals details of a large-scale information-stealing malware attack on the Chinese government and enterprise institutions.", "modified": "2026-01-29T07:03:28.109000", "created": "2025-12-30T07:41:17.644000", "tags": [ "china" ], "references": [ "https://ti.qianxin.com/blog/articles/emeditor-supply-chain-incident-details-disclosed-en/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1568", "name": "Dynamic Resolution", "display_name": "T1568 - Dynamic Resolution" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1, "URL": 4, "domain": 16 }, "indicator_count": 21, "is_author": false, "is_subscribing": null, "subscriber_count": 277, "modified_text": "123 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "emeditorde.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "emeditorde.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780308490.78266 }