EmEditor's official website is once again tampered with



It has been discovered that since December 31, 2025, the official website of the text editor 'EmEditor' developed by Emurasoft has been tampered with, resulting in an incident where clicking the button to download the installer resulted in the download of an unauthorized file. Emurasoft also reported a similar incident on December 23, 2025.

[Important] Malicious Links (Malware) on the EmEditor Homepage (Update) – EmEditor (Text Editor)

https://jp.emeditor.com/general/%E3%80%90%E9%87%8D%E8%A6%81%E3%80%91emeditor-%E3%83%9B%E3%83%BC%E3%83%A0%E3%83%9A%E3%83%BC%E3%82%B8%E3%81%AB%E9%96%A2%E3%81%99%E3%82%8B%E4%B8%8D%E6%AD%A3%E3%83%AA%E3%83%B3%E3%82%AF%EF%BC%88%E3%83%9E/



According to an announcement by Emurasoft on January 4, 2026, the download link for the latest version of the desktop installer (emed64_25.4.4.msi) on the official EmEditor website had been altered by an unknown attacker, redirecting users to a third-party link. Users who accessed the third-party link may have downloaded a file that may contain malware.

The potentially affected period is from 18:26 on December 31, 2025 to 1:51 on January 2, 2026. According to Emurasoft, the end time is accurate, but the start time may be later. Also, only the Japanese version of the website was affected.

This incident is separate from the following incident reported on December 23, 2025:

The download path for the official 'EmEditor' website may have been altered, and there is a risk that the installer may have been replaced with another one - GIGAZINE



According to Emurasoft's explanation for this incident, the download URL for the latest version of the desktop installer on the official Japanese EmEditor website should have been 'https://download.emeditor.info/emed64_25.4.4.msi,' but during the period in question, it had been altered by a third party to redirect to 'https://jp.emeditor[.]com/wp-content/uploads/2025/10/emed64_25.4.4.msi.' Apparently, this was caused by unauthorized modification of the WordPress theme file, functions.php.

Malicious script was added to this functions.php file, which 'intercepted' link clicks on the EmEditor homepage and redirected users to a page containing a problematic installer. The problematic installer was digitally signed not by Emurasoft, but by a different organization called GRH PSYCHIC SERVICES LTD. While this signature is different from the one seen in the previous incident, Emurasoft reports that 'based on the timing and modus operandi, it is highly likely that this is the same malware as in the previous incident.'

Emurasoft determined that 'it is possible that a WordPress vulnerability or an SFTP account was targeted,' and as a countermeasure, they discontinued the use of WordPress on their official website, exported all previous content to HTML, and converted the website into a static site. Emurasoft stated, 'All currently displayed English and Japanese EmEditor sites are static sites that do not use WordPress, so they can be considered safe.' As a result of this measure, the official website's forum became view-only, and new member registrations were closed.

Emurasoft stated, 'The domain used this time was different from the domain used in the previous incident. The fact that the attacker owned many domains with names similar to the official website, emeditor.com, the malware was highly sophisticated, and the attacks were repeated. In addition, the attacks occurred on the weekend before Christmas and around New Year's, suggest the attacker's high level of determination.'



According to Emurasoft, the following cases are not affected by this issue:

- If you update using the EmEditor update checker
- When EmEditor performs an automatic update
- Files other than emed64_25.4.4.msi
・Portable version
・Store app version
・If you installed/updated using winget
- If you have downloaded the file in question but have not executed it
・If you download from a site other than the Japanese version

Emurasoft is urging customers who may have obtained the installer during the affected period to 'check the digital signature and SHA-256 of the downloaded emed64_25.4.4.msi.'

Emurasoft stated, 'Unfortunately, it is difficult for us as a software company to completely prevent the creation and distribution of malicious installers that closely resemble legitimate installers. The essential problems in this case are twofold: 1) the download link used on our website was altered without our knowledge, and 2) our website was accessed from outside and a problematic file containing malware was installed. The combination of these factors caused harm to customers who downloaded from our official website, and we feel a great deal of responsibility for this. We will reflect on what we could have done to prevent this and use this to implement future measures.'

Related Posts:

in Software,   Security, Posted by log1p_kr