eScan antivirus customers have been contaminated with malware final week after hackers compromised an official replace server, safety researchers report.
The eScan provide chain assault got here to mild on January 29, when cybersecurity agency Morphisec revealed a menace bulletin warning of rogue updates tampering with customers’ programs.
“Malicious updates have been distributed by way of eScan’s authentic replace infrastructure, ensuing within the deployment of multi-stage malware to enterprise and client endpoints globally,” Morphisec’s bulletin reads.
In response to the safety agency, the updates modified customers’ gadgets in order that they’d be reduce off from eScan’s updates. The antivirus’s regular performance was additionally altered, it says.
The affected customers obtained a malicious ‘Reload.exe’ file, designed to kick off a multi-stage an infection chain. The file modified the HOSTS file to dam computerized updates, established persistence by way of scheduled duties, and downloaded extra payloads.
“Computerized remediation is subsequently not doable for compromised programs. Impacted organizations and people should proactively contact eScan to acquire the handbook replace/patch,” Morphisec says.
Morphisec stated it reported the incident to MicroWorld Applied sciences, the corporate behind eScan, on January 21, sooner or later after it detected the malicious habits on its prospects’ gadgets.
eScan knowledgeable Morphisec that it had detected unauthorized entry to its infrastructure on January 20 and instantly remoted the impacted replace servers, which remained offline for over eight hours.
To resolve the problem, eScan launched a utility that customers can get hold of by contacting the corporate’s technical help staff. The device was designed to scrub the an infection, roll again malicious system modifications, and restore eScan’s regular performance.
eScan downplays impression, cries foul play
Whereas the assault and the aftermath appear relatively easy, eScan’s response to the general public disclosure of the incident is a distinct story.
Because it seems, the Indian antivirus supplier was not pleased with Morphisec’s evaluation of how the incident unfolded, nor with the “provide chain assault” stamp slapped on it.
The corporate, nevertheless, did verify the unauthorized entry to its infrastructure. In reality, it disclosed it to its prospects in a January 22 safety advisory, which states that the incident impacted a regional replace server.
“Unauthorized entry to certainly one of our regional replace server configurations resulted in an incorrect file (patch configuration binary/corrupt replace) being positioned within the replace distribution path. This file was distributed to prospects downloading updates from the affected server cluster throughout a restricted timeframe on January 20, 2026,” the advisory reads.
The advisory’s description of the system habits triggered by the malicious replace overlaps with Morphisec’s description. Moreover, eScan notes that the incident had a medium-high impression on enterprise prospects, which inserts Morphisec’s evaluation.
Regardless, eScan is sad with Morphisec’s reporting on the incident, which it reportedly sees as inaccurate. In reality, the antivirus firm is outwardly working with authorized counsel on the matter.
SecurityWeek has emailed eScan for an announcement on the incident and can replace this text if the corporate responds.
Associated: ‘PackageGate’ Flaws Open JavaScript Ecosystem to Provide Chain Assaults
Associated: Notepad++ Patches Updater Flaw After Studies of Site visitors Hijacking
Associated: Fintech Agency Wealthsimple Says Provide Chain Assault Resulted in Information Breach
Associated: AI Provide Chain Assault Technique Demonstrated Towards Google, Microsoft Merchandise
