Background
On December 23, 2025, the renowned document editor EmEditor officially released an announcement stating that between December 19th and 22nd, its official website installation packages were subjected to a supply chain attack. The MSI installation packages were replaced with malicious ones signed with a non-official signature "WALSHAM INVESTMENTS LIMITED":
Qianxin Threat Intelligence Center's RedDrip Team also observed this incident through its private intelligence production process and captured subsequent complete payloads. According to statistics, EmEditor has a considerable user base in China, with many users being developers, operations personnel, and other technical roles handling sensitive data. Considering the subsequent payload is information-stealing malware, a comprehensive assessment indicates this incident poses a large-scale potential threat to related government and enterprise institutions.
The Tianqing "Liuhe" engine is currently capable of intercepting the malicious MSI. We recommend government and enterprise customers deploy the "Liuhe" engine to defend against unknown threats.
Sample Analysis
Information-Stealing Script
The malicious MSI installation package contains an embedded malicious script used to execute subsequent PowerShell commands.
The script first disables logging and defines several C# classes:
It then collects system information and generates an RSA public key for encrypting the stolen data.
Subsequently, it collects information including system version, username, etc., encrypts it, and uploads it to C2: https://emeditorgb.com/take/mg8heP0r/ + uuid
It steals files from Desktop, Documents, and Downloads paths, first collecting filenames within those paths.
The results are encrypted and written to the file sandbox.txt.
It retrieves system information and writes it to system.txt.
It steals VPN configurations, Windows login credentials, browser information including cookies, Login Data, user settings, etc.
Additionally, it steals credentials from the following software, involving Zoho Mail, Evernote, Notion, Discord, Slack, Mattermost, Skype, LiveChat, MSTeams, Zoom, WinSCP, PuTTY, Steam, Telegram, etc.
Captures a screenshot of the current screen:
After collecting all information, it packages the stolen data into a compressed archive named array.bin.
The contents of array.bin after extraction are as follows:
It checks if the current system language is in the following list. If it belongs to one of the following countries (covering former Soviet regions and Iran), execution terminates.
Browser Extension
Ultimately, it installs a browser extension for persistence, named "Google Drive Caching," which is a fully-featured information-stealing malware.
The core logic script is background.js, with the initial C2 being cachingdrive.com
Considering the potential for initial C2 domains to be exposed and blocked, the attackers also designed a set of DGA (Domain Generation Algorithm) logic as a fallback list. It changes seeds weekly using the formula [original seed, year, week number, year*100+week number].
Calculating for the current week containing December 25, 2025, the generated DGA domains are as follows:
[
"brt461jnbjvm52mw\.biz",
"1a298k7iqspq52l4r9e\.space",
"z2ctmmm61dm0c3wfic\.store",
"afdwtyy38efzk\.app",
"08qodmaloshm5zrwhww\.xyz",
"gs9uuz4h0510qhob\.io",
"973jgnzjgnwupd1nu\.space",
"daj54smzpklt5kjq\.space",
"8mfi71rtud8fov5\.org",
"0xax86xdizce7kg9cpdk\.online"
]
This extension possesses data-stealing modules capable of stealing system information like CPU, GPU, memory, screen resolution, time zone, as well as all browser cookies, history, extension list, bookmark data, etc.
Clipboard hijacking functionality supports replacing addresses for 30+ types of cryptocurrencies.
Keylogging functionality, categorized based on specific web pages:
Facebook advertising account theft functionality:
Remote control logic is as follows:
case "get_cookies": // Get all cookies
case "get_history": // Get browsing history
case "screenshot": // Screenshot
case "clear_cookies": // Clear cookies
case "send_notification": // Send notification (social engineering)
case "read_file": // Read local file
case "open_url": // Open malicious website
case "start_proxy": // Start proxy (man-in-the-middle attack)
case "uninstall": // Self-uninstall
case "execute_js": // Execute arbitrary JavaScript on page
Summary
Currently, all products based on Qianxin Threat Intelligence Center's threat intelligence data, including the Qianxin Threat Intelligence Platform (TIP), Tianqing, Tianyan Advanced Threat Detection System, Qianxin NGSOC, and Qianxin Situational Awareness Platform, already support precise detection of such attacks.
IOC
Md5:
a27731876e769ff19e225700085967bf
6a4554509ce27efe5c6b8e58431f60d8
C2:
emedjp.com
emeditorde.com
emedorg.com
emeditorjapan.com
emeditorjp.com
cachingdrive.com
147.45.50.54:443
5.101.82.118:443
46.28.70.245:443
DGA Domains::
brt461jnbjvm52mw.biz
1a298k7iqspq52l4r9e.space
z2ctmmm61dm0c3wfic.store
afdwtyy38efzk.app
08qodmaloshm5zrwhww.xyz
gs9uuz4h0510qhob.io
973jgnzjgnwupd1nu.space
daj54smzpklt5kjq.space
8mfi71rtud8fov5.org
0xax86xdizce7kg9cpdk.online