{ "type": "URL", "indicator": "https://emeditorjp.com", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://emeditorjp.com", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4280914205, "indicator": "https://emeditorjp.com", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 1, "pulses": [ { "id": "69c2cef0b65bce5b92b124a0", "name": "When Trust Becomes the Attack Vector: Analysis of the EmEditor Supply-Chain Compromise", "description": "The EmEditor supply-chain compromise showcases a sophisticated attack where threat actors leveraged a trusted software distribution channel to execute malicious actions. Rather than traditional phishing methods, the attackers exploited a trusted WordPress-based download infrastructure, manipulating conditional server-side logic to deliver a trojanized Microsoft Installer (MSI) to specific users while allowing legitimate content for administrators. This approach highlights an evolving tactic in cyber threats, focusing on eroding trust at the source rather than exploiting direct vulnerabilities.", "modified": "2026-04-23T17:27:31.611000", "created": "2026-03-24T17:50:40.888000", "tags": [ "strong", "msi installer", "sha256", "ip address", "hosting ip", "compromise", "emeditor", "copilot", "filename", "timestamp", "malicious", "powershell", "twitter", "bluesky" ], "references": [ "https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/when-trust-becomes-the-attack-vector-analysis-of-the-emeditor-supply-chain-compr/4499552" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 5, "domain": 5 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/when-trust-becomes-the-attack-vector-analysis-of-the-emeditor-supply-chain-compr/4499552" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 20 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/emeditorjp.com", "whois": "http://whois.domaintools.com/emeditorjp.com", "domain": "emeditorjp.com", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 1, "pulses": [ { "id": "69c2cef0b65bce5b92b124a0", "name": "When Trust Becomes the Attack Vector: Analysis of the EmEditor Supply-Chain Compromise", "description": "The EmEditor supply-chain compromise showcases a sophisticated attack where threat actors leveraged a trusted software distribution channel to execute malicious actions. Rather than traditional phishing methods, the attackers exploited a trusted WordPress-based download infrastructure, manipulating conditional server-side logic to deliver a trojanized Microsoft Installer (MSI) to specific users while allowing legitimate content for administrators. This approach highlights an evolving tactic in cyber threats, focusing on eroding trust at the source rather than exploiting direct vulnerabilities.", "modified": "2026-04-23T17:27:31.611000", "created": "2026-03-24T17:50:40.888000", "tags": [ "strong", "msi installer", "sha256", "ip address", "hosting ip", "compromise", "emeditor", "copilot", "filename", "timestamp", "malicious", "powershell", "twitter", "bluesky" ], "references": [ "https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/when-trust-becomes-the-attack-vector-analysis-of-the-emeditor-supply-chain-compr/4499552" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1195.002", "name": "Compromise Software Supply Chain", "display_name": "T1195.002 - Compromise Software Supply Chain" }, { "id": "T1218.007", "name": "Msiexec", "display_name": "T1218.007 - Msiexec" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 5, "domain": 5 }, "indicator_count": 16, "is_author": false, "is_subscribing": null, "subscriber_count": 541, "modified_text": "37 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://emeditorjp.com", "type": "URL" }, "abuseipdb": null, "urlhaus": { "error": "Expecting value: line 1 column 1 (char 0)", "indicator": "https://emeditorjp.com", "type": "URL" }, "from_cache": true, "_cached_at": 1780234368.4000268 }