While analysts were writing reports, the enemy simply changed tactics.
Stormshield specialists continued to analyze the compromise chain associated with the attack on the EmEditor text editor supply chain and uncovered additional technical details of the attackers' infrastructure. The in-depth analysis was prompted by Trend Micro's January publication about a rare "Watering Hole" scheme targeting users of this product.
The team examined previously published indicators and began tracking associated domains and addresses. In early February, IP changes were detected for several suspicious nodes. A group of domain names masquerading as official EmEditor resources was discovered. All of them use the .com extension, were registered in late December 2025 through the same registrar, and point to the same DNS servers. The names follow a similar pattern and begin with the fragment "emed," indicating an attempt to visually imitate a legitimate brand.
Analysis of passive DNS records revealed additional address matches. Some domains changed IP addresses, while others remained the same. This suggests a gradual restructuring of the infrastructure without a complete shutdown. Further inspection of network responses revealed an atypical HTTP header configuration for one of the nodes. Some fields in the server response were duplicated, which became the starting point for further searching for related resources.
Using an internet infrastructure analysis service, we were able to find other domains with the same header fingerprint. Several of them pointed to the same IP address and used similar URL patterns with paths like /gate/start/. Despite the minimal network response, the matches allowed us to link them to the same activity.
A separate search led to another domain registered in October 2025. This address hosted an obfuscated PowerShell script matching the previously described infection chain. The internal logic and checksums of the code indicate an early stage of the same operation. Analysts believe the match is quite reliable.
A comprehensive analysis of domains, IP addresses, and file hashes shows that the campaign did not cease after its public disclosure and continued to evolve. Therefore, constant monitoring, re-checking of indicators, and multi-layered defense remain critical to infrastructure resilience .
Stormshield specialists continued to analyze the compromise chain associated with the attack on the EmEditor text editor supply chain and uncovered additional technical details of the attackers' infrastructure. The in-depth analysis was prompted by Trend Micro's January publication about a rare "Watering Hole" scheme targeting users of this product.
The team examined previously published indicators and began tracking associated domains and addresses. In early February, IP changes were detected for several suspicious nodes. A group of domain names masquerading as official EmEditor resources was discovered. All of them use the .com extension, were registered in late December 2025 through the same registrar, and point to the same DNS servers. The names follow a similar pattern and begin with the fragment "emed," indicating an attempt to visually imitate a legitimate brand.
Analysis of passive DNS records revealed additional address matches. Some domains changed IP addresses, while others remained the same. This suggests a gradual restructuring of the infrastructure without a complete shutdown. Further inspection of network responses revealed an atypical HTTP header configuration for one of the nodes. Some fields in the server response were duplicated, which became the starting point for further searching for related resources.
Using an internet infrastructure analysis service, we were able to find other domains with the same header fingerprint. Several of them pointed to the same IP address and used similar URL patterns with paths like /gate/start/. Despite the minimal network response, the matches allowed us to link them to the same activity.
A separate search led to another domain registered in October 2025. This address hosted an obfuscated PowerShell script matching the previously described infection chain. The internal logic and checksums of the code indicate an early stage of the same operation. Analysts believe the match is quite reliable.
A comprehensive analysis of domains, IP addresses, and file hashes shows that the campaign did not cease after its public disclosure and continued to evolve. Therefore, constant monitoring, re-checking of indicators, and multi-layered defense remain critical to infrastructure resilience .
