Critical eScan Antivirus Supply Chain Attack Distributes Multi-Stage Malware Globally On January 20, 2026, a supply chain compromise targeting MicroWorld Technologies’ eScan antivirus was uncovered, delivering malicious updates through the vendor’s legitimate infrastructure. Research from Morphisec Threat Labs revealed the attack distributed multi-stage malware to enterprise and consumer endpoints worldwide, leveraging a compromised eScan digital certificate to bypass security checks. The malware, disguised as a trojanized 32-bit eScan executable, replaced a legitimate component during updates. It deployed additional payloads, including a 64-bit backdoor for remote access, while actively blocking remediation efforts. Key tactics included: - Modifying the Windows hosts file and eScan registry settings to prevent connections to update servers. - Establishing persistence via scheduled tasks (masquerading as defragmentation jobs) and registry keys with random GUID names. - Communicating with external C2 infrastructure to fetch further payloads, though the status of these servers remains unconfirmed. Response and Impact Morphisec detected and blocked the threat within hours, notifying MicroWorld Technologies the same day. eScan claimed it identified the breach internally, isolating affected infrastructure within an hour and taking its global update system offline for over eight hours. However, Morphisec reported that customers were required to proactively contact eScan for remediation, despite the vendor’s assertion of direct outreach. As of publication, no public advisory has been issued by eScan, and the investigation remains ongoing. The attack underscores the risks of supply chain vulnerabilities, particularly when attackers exploit trusted update mechanisms to deploy malware at scale.