Critical eScan Antivirus Supply Chain Attack Distributes Multi-Stage Malware Globally
On January 20, 2026, a supply chain compromise targeting MicroWorld Technologies’ eScan antivirus was uncovered, delivering malicious updates through the vendor’s legitimate infrastructure. Research from Morphisec Threat Labs revealed the attack distributed multi-stage malware to enterprise and consumer endpoints worldwide, leveraging a compromised eScan digital certificate to bypass security checks.
The malware, disguised as a trojanized 32-bit eScan executable, replaced a legitimate component during updates. It deployed additional payloads, including a 64-bit backdoor for remote access, while actively blocking remediation efforts. Key tactics included:
- Modifying the Windows hosts file and eScan registry settings to prevent connections to update servers.
- Establishing persistence via scheduled tasks (masquerading as defragmentation jobs) and registry keys with random GUID names.
- Communicating with external C2 infrastructure to fetch further payloads, though the status of these servers remains unconfirmed.
Response and Impact
Morphisec detected and blocked the threat within hours, notifying MicroWorld Technologies the same day. eScan claimed it identified the breach internally, isolating affected infrastructure within an hour and taking its global update system offline for over eight hours. However, Morphisec reported that customers were required to proactively contact eScan for remediation, despite the vendor’s assertion of direct outreach.
As of publication, no public advisory has been issued by eScan, and the investigation remains ongoing. The attack underscores the risks of supply chain vulnerabilities, particularly when attackers exploit trusted update mechanisms to deploy malware at scale.
Source: https://www.infosecurity-magazine.com/news/escan-antivirus-breach-delivers/
MicroWorld Technologies Inc cybersecurity rating report: https://www.rankiteo.com/company/microworld-technologies-inc
MicroWorld Technologies Inc cybersecurity rating report: https://www.rankiteo.com/company/microworld-technologies-inc
"id": "MICMIC1769460960",
"linkid": "microworld-technologies-inc, microworld-technologies-inc",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Enterprise and consumer users '
'worldwide',
'industry': 'Cybersecurity/Antivirus',
'location': 'Global',
'name': 'MicroWorld Technologies (eScan Antivirus)',
'type': 'Vendor'}],
'attack_vector': 'Compromised software update mechanism',
'customer_advisories': 'No public advisory issued; customers required to '
'contact eScan for remediation',
'data_breach': {'data_encryption': 'Malware deployed encryption for '
'persistence and payload delivery'},
'date_detected': '2026-01-20',
'description': 'On January 20, 2026, a supply chain compromise targeting '
'MicroWorld Technologies’ eScan antivirus was uncovered, '
'delivering malicious updates through the vendor’s legitimate '
'infrastructure. The attack distributed multi-stage malware to '
'enterprise and consumer endpoints worldwide, leveraging a '
'compromised eScan digital certificate to bypass security '
'checks. The malware, disguised as a trojanized 32-bit eScan '
'executable, replaced a legitimate component during updates '
'and deployed additional payloads, including a 64-bit backdoor '
'for remote access, while actively blocking remediation '
'efforts.',
'impact': {'brand_reputation_impact': 'High (trusted antivirus vendor '
'compromised)',
'downtime': 'Over eight hours (global update system offline)',
'operational_impact': 'Malware deployment, blocked remediation '
'efforts, disrupted update services',
'systems_affected': 'Enterprise and consumer endpoints worldwide'},
'initial_access_broker': {'backdoors_established': '64-bit backdoor for '
'remote access',
'entry_point': 'Compromised eScan update '
'infrastructure'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The attack underscores the risks of supply chain '
'vulnerabilities, particularly when attackers exploit '
'trusted update mechanisms to deploy malware at scale.',
'post_incident_analysis': {'corrective_actions': 'Isolated affected '
'infrastructure, took update '
'system offline, required '
'customer-initiated '
'remediation',
'root_causes': 'Compromised digital certificate, '
'exploitation of trusted update '
'mechanism'},
'ransomware': {'data_encryption': 'Yes (malware used encryption for payload '
'delivery)'},
'references': [{'source': 'Morphisec Threat Labs'}],
'response': {'communication_strategy': 'No public advisory issued; customers '
'notified via direct outreach '
'(disputed by Morphisec)',
'containment_measures': 'Isolated affected infrastructure, took '
'global update system offline',
'incident_response_plan_activated': 'Yes',
'remediation_measures': 'Customers required to proactively '
'contact eScan for remediation',
'third_party_assistance': 'Morphisec Threat Labs'},
'title': 'Critical eScan Antivirus Supply Chain Attack Distributes '
'Multi-Stage Malware Globally',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Compromised digital certificate, trusted update '
'infrastructure'}