Following our earlier announcement, “[Important] Security Incident Notice Regarding the EmEditor Installer Download Link”, we are sharing what we have learned through further investigation, along with additional details that supplement the previous notice.
We sincerely apologize once again for the serious concern and inconvenience this incident has caused.
1. Time Period Potentially Affected (U.S. Pacific Time / UTC)
In our previous notice, we provided the timeframe in U.S. Pacific Time. For reference, we also include Coordinated Universal Time (UTC).
- Dec 19, 2025 18:39 – Dec 22, 2025 12:50 (U.S. Pacific Time)
- 2025-12-20 02:39 – 2025-12-22 20:50 (UTC)
If you downloaded the installer during the period above via the EmEditor website download path (for example, the “Download Now” button), there is a possibility that you downloaded a file that was not the legitimate installer provided by us (Emurasoft, Inc.).
Please note that the period above is intentionally broad out of an abundance of caution. The actual window may have been shorter and limited to specific times.
2. About the Suspicious File (Confirmed Differences)
For the file emed64_25.4.3.msi, we have confirmed the existence of at least two suspicious files.
We also confirmed that both suspicious files were signed with Microsoft-issued digital signatures. Because the validity periods were extremely short (only a few days), we believe the certificates were likely issued in a manner similar to developer-oriented issuance.
We reported this incident to Microsoft, provided the suspicious files, and requested revocation of the relevant signatures. We have now confirmed that both signatures have been revoked. As a result, attempting to run the MSI should display a warning that the signature is invalid, making installation difficult.
Legitimate file (official EmEditor installer)
Problematic file #1
Problematic file #2
3. If You Already Deleted the Downloaded File
If you still have the downloaded file (emed64_25.4.3.msi), you can verify it (as previously announced) by checking the digital signature and/or SHA-256.
Even if you already deleted the file, Windows may have kept a copy of the MSI used during installation under C:\Windows\Installer, stored under a different name.
Because this folder is both hidden and protected by the OS, it can be difficult to locate through normal File Explorer browsing. Please open it directly by entering: C:\Windows\Installer.
After opening the folder, we recommend the steps below. Please be extremely careful not to double-click or run any MSI files.
- Sort by date (for example, “Date modified”)
- Focus on recent files
- Check the target file’s digital signature (Right-click → Properties → Digital Signatures)
4. How To Check whether Your Computer May be Infected
Even if the suspicious file was executed, infection is not guaranteed in environments such as:
- The device was offline
- A VPN/proxy was required
- Suspicious PowerShell behavior was blocked by Windows features or policies
- PowerShell execution was restricted
- Antivirus/security software blocked the activity
However, if any of the following apply, the likelihood of infection becomes very high:
C:\ProgramData\tmp_mojo.log exists- A scheduled task named
Google Drive Caching exists
background.vbs exists in %LOCALAPPDATA%\Google Drive Caching\- A browser extension named
Google Drive Caching exists in a Chromium-based browser such as Chrome or Microsoft Edge (even if it claims to be made by Google)—especially if it can “read and change data on all websites” and has clipboard access
- Network logs show connections to any of the following:
cachingdrive[.]comemeditorde[.]comemeditorgb[.]comemeditorjp[.]comemeditorsb[.]com
If none of the above apply, the risk is lower—but not zero—because part of the attack can run in memory and leave little or no file-based evidence.
5. Confirmed Behavior (Destination Domains, etc.)
As previously announced, we confirmed that the suspicious installer, when executed, downloads additional files from external domains and executes them.
While we previously confirmed access to emeditorjp[.]com, subsequent investigation has found additional access to emeditorde[.]com, emeditorgb[.]com, and emeditorsb[.]com as well.
None of these four domains (emeditorjp[.]com, emeditorde[.]com, emeditorgb[.]com, emeditorsb[.]com) are operated by us (Emurasoft, Inc.).
We also confirmed that the PowerShell command described in the previous notice downloads and executes files from external domains, and that this behavior could lead to malware infection and theft of personal information such as passwords.
For additional details, please refer to the research report prepared by Mr. Luca Palermo and Mr. Mario Ciccarelli. Mr. Palermo provided the report to us and granted permission for us to publish it, and we would like to express our sincere thanks for their cooperation.
6. Why This Was “Hard to Spot”
As a basic reality, both domains and digital signatures can be obtained by third parties under certain conditions.
- Domains can often be purchased at low cost if they are unused or not renewed.
- Code-signing certificates can generally be obtained from many certificate authorities (in this case, the issuer was Microsoft).
- Once an issue is discovered, the main available response is to contact the issuer/certification authority and request revocation.
From a technical perspective, MSI installers can include arbitrary scripts (including PowerShell) via custom actions. With sufficient knowledge, an attacker can inject a malware loader into an installer that closely resembles a legitimate, widely distributed one.
Even if the installer were an EXE rather than an MSI, similar attacks would still be possible.
Unfortunately, this means it is difficult for software companies to completely prevent malicious installers that closely imitate legitimate ones from being created and distributed. We must assume that similarly sophisticated, multi-stage malware installers could appear again in the future.
That said, we believe the core issues in this incident can be summarized as follows:
- A convenient redirect (download path) used on our website was altered without being detected.
- A malicious installer was placed on our website by an external party.
Because these occurred together, we take full responsibility for the fact that customers were harmed after downloading from our official website, and we will reflect this in our future preventive measures.
6-1. Malicious files placed on the EmEditor website
In addition to the malicious installer emed64_25.4.3.msi, we discovered a file named base64.php under a plugin directory. After analyzing base64.php, we determined it was a typical backdoor (remote code execution / RCE).
We also found that a script had been added to footer.php (within the WordPress theme directory). This script hijacked clicks intended for the legitimate URL:
https://support.emeditor.com/ja/downloads/latest/installer/64
and redirected them to:
/wp-content/uploads/filebase/emeditor-core/emed64_25.4.3.msi
As a result, clicking the “Download Now” button on the homepage could lead to the malicious file being downloaded.
More maliciously, the script was configured to trigger only for visitors who were not logged in, making the issue difficult for administrators to reproduce and detect. As a result, even when we checked the site ourselves, we did not immediately notice that the redirect had been altered.
7. Cause (Current Assessment)
We are still investigating and have not reached a final conclusion. However, we are considering the possibilities below.
WordPress is made up of multiple components—core, plugins, themes, and more—maintained by many developers. Vulnerabilities are regularly discovered in these components, and updates are released over time.
We regularly update plugins and themes, but in some cases vulnerabilities may remain unpatched for extended periods. It is possible that the attack exploited such a vulnerability.
It is also possible that the SFTP account in use was targeted.
8. Our Response (Completed / Planned)
We immediately deleted the malicious file emed64_25.4.3.msi. We also reviewed file modification logs and confirmed the addition of base64[.]php and changes to footer[.]php. After identifying base64[.]php as a backdoor, we scanned the entire site.
We then rebuilt the website, reinstalled all plugins, and removed unnecessary plugins. We also scanned internal computers and changed login passwords for all WordPress sites and related services. We audited several services we used by looking through their logs.
In addition, we stopped using redirects for download buttons such as “Download Now,” and replaced them with direct links to verified safe files. We also updated the download page to clearly show the MSI’s SHA-256 and added instructions encouraging users to verify the digital signature.
To further strengthen the EmEditor homepage download path, we are also considering migrating the site to a custom/static website instead of WordPress in the near future.
9. Closing
As described above, an installer that has been tampered with can perform extremely dangerous actions when executed. At the same time, we cannot fundamentally prevent third parties from creating and distributing malicious installers that imitate legitimate ones.
Therefore, our top priority is to make sure no one can obtain malware through our website, since it’s our primary distribution channel.
This incident also reminded us that while popular CMS platforms such as Xoops and WordPress are convenient, their extensibility can increase exposure to vulnerabilities—and that simply keeping plugins and themes updated does not eliminate risk entirely.
Fortunately, the Emurasoft Customer Center was not compromised, and our database remained secure. We have no evidence that anyone accessed our customer database.
In the hope that what we learned from this incident will help other software companies, we have included as much detail and context as possible rather than limiting this to a brief report.
We once again offer our sincere apologies for the concern and inconvenience caused. We especially apologize to those who suffered harm related to infection.
Thank you for your continued support of EmEditor.
