Malicious installer delivered through altered download link.

Emurasoft warned that EmEditor users who downloaded the software over a three‑day window may have received a tampered installer after attackers redirected the site’s download link to a malicious .msi file. The fake installer ran a PowerShell command that pulled additional payloads from a spoofed domain and harvested system data, documents, browser details, and credentials for numerous applications. Qianxin found that the malware also deployed a persistent browser extension capable of stealing cookies, logging keystrokes, and hijacking cryptocurrency addresses. Researchers say the operation appears financially motivated, and both Emurasoft and Qianxin have published indicators of compromise.

Read more:

https://www.securityweek.com/infostealer-malware-delivered-in-emeditor-supply-chain-attack/