A critical supply chain compromise affecting MicroWorld Technologies’ eScan antivirus product was identified on January 20 2026, after malicious updates were reportedly delivered through the vendor’s legitimate update infrastructure.
The incident led to the global distribution of multi-stage malware to enterprise and consumer endpoints, according to findings published today from Morphisec Threat Labs.
The malicious packages were allegedly digitally signed using a compromised eScan certificate, allowing them to appear legitimate and bypass standard trust mechanisms. Once deployed, the malware established persistence, enabled remote access capabilities and actively prevented affected systems from receiving further updates.
Multi-Stage Malware Blocks Automatic Remediation
The attack chain began with a trojanized version of a 32-bit eScan executable, which replaced a legitimate component during the update process. This initial stage dropped additional payloads, including a downloader and a 64-bit backdoor that provided full remote access to compromised systems.
One of the most significant aspects of the campaign was its built-in anti-remediation capability. The malware modified the Windows hosts file and altered eScan registry settings to block connections to eScan update servers. As a result, compromised endpoints cannot receive automatic fixes or patches.
Persistence was achieved through scheduled tasks disguised as Windows defragmentation jobs, as well as registry keys using randomly generated GUID names. The downloader component also attempted to communicate with external command-and-control (C2) infrastructure to retrieve additional payloads, though the current status of those servers remains unconfirmed.
Detection, Response and Required Actions
Morphisec said it detected and blocked the malicious activity on protected customer systems within hours of the initial distribution.
The company allegedly contacted MicroWorld Technologies the same day. eScan stated it identified the issue through internal monitoring, isolated the affected infrastructure within one hour and took its global update system offline for more than eight hours.
Despite these steps, Morphisec reported that its customers were required to proactively contact eScan to receive remediation, even though the vendor indicated that customers were being notified directly by phone.
Infosecurity has contacted eScan for comment, but no response has been received at the time of writing.
In the meantime, Morphisec advised organizations running eScan to take immediate action, including:
-
Searching endpoints for known malicious file hashes
-
Reviewing scheduled tasks under Windows\Defrag\ for suspicious entries
-
Inspecting registry keys with GUID-based names containing encoded data
-
Blocking identified C2 domains
-
Revoking trust in the compromised eScan code-signing certificate
For unprotected systems, the company recommends assuming compromise, isolating affected machines and conducting full forensic investigations. As of publication, no public vendor advisory has been issued and the investigation reportedly remains active.