eScan antivirus customers have been contaminated with malware final week after hackers compromised an official replace server, safety researchers report.
The eScan provide chain assault got here to mild on January 29, when cybersecurity agency Morphisec revealed a risk bulletin warning of rogue updates tampering with customers’ techniques.
“Malicious updates have been distributed via eScan’s reputable replace infrastructure, ensuing within the deployment of multi-stage malware to enterprise and client endpoints globally,” Morphisec’s bulletin reads.
In line with the safety agency, the updates modified customers’ units in order that they might be lower off from eScan’s updates. The antivirus’s regular performance was additionally altered, it says.
The affected customers acquired a malicious ‘Reload.exe’ file, designed to kick off a multi-stage an infection chain. The file modified the HOSTS file to dam automated updates, established persistence via scheduled duties, and downloaded extra payloads.
“Computerized remediation is subsequently not attainable for compromised techniques. Impacted organizations and people should proactively contact eScan to acquire the handbook replace/patch,” Morphisec says.Commercial. Scroll to proceed studying.
Morphisec mentioned it reported the incident to MicroWorld Applied sciences, the corporate behind eScan, on January 21, at some point after it detected the malicious habits on its prospects’ units.
eScan knowledgeable Morphisec that it had detected unauthorized entry to its infrastructure on January 20 and instantly remoted the impacted replace servers, which remained offline for over eight hours.
To resolve the problem, eScan launched a utility that customers can receive by contacting the corporate’s technical help staff. The device was designed to wash the an infection, roll again malicious system modifications, and restore eScan’s regular performance.
eScan downplays influence, cries foul play
Whereas the assault and the aftermath appear somewhat easy, eScan’s response to the general public disclosure of the incident is a unique story.
Because it seems, the Indian antivirus supplier was not proud of Morphisec’s evaluation of how the incident unfolded, nor with the “provide chain assault” stamp slapped on it.
The corporate, nonetheless, did affirm the unauthorized entry to its infrastructure. In reality, it disclosed it to its prospects in a January 22 safety advisory, which states that the incident impacted a regional replace server.
“Unauthorized entry to one in all our regional replace server configurations resulted in an incorrect file (patch configuration binary/corrupt replace) being positioned within the replace distribution path. This file was distributed to prospects downloading updates from the affected server cluster throughout a restricted timeframe on January 20, 2026,” the advisory reads.
The advisory’s description of the system habits triggered by the malicious replace overlaps with Morphisec’s description. Moreover, eScan notes that the incident had a medium-high influence on enterprise prospects, which inserts Morphisec’s evaluation.
Regardless, eScan is sad with Morphisec’s reporting on the incident, which it reportedly sees as inaccurate. In reality, the antivirus firm is seemingly working with authorized counsel on the matter.
SecurityWeek has emailed eScan for a press release on the incident and can replace this text if the corporate responds.
Associated: ‘PackageGate’ Flaws Open JavaScript Ecosystem to Provide Chain Assaults
Associated: Notepad++ Patches Updater Flaw After Studies of Site visitors Hijacking
Associated: Fintech Agency Wealthsimple Says Provide Chain Assault Resulted in Knowledge Breach
Associated: AI Provide Chain Assault Methodology Demonstrated Towards Google, Microsoft Merchandise
