CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

eScan Antivirus Supply Chain Compromise Delivers Signed Malware

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

A supply chain compromise in eScan antivirus products led to the distribution of multi-stage malware via legitimate update channels on January 20, 2026. The malware, signed with a compromised eScan certificate, established persistence, enabled remote access, and blocked further updates. Morphisec Threat Labs detected and mitigated the attack, while eScan took its update system offline for remediation. The malware modified system files and registry settings to prevent automatic remediation and communicated with external C2 infrastructure. Affected organizations are advised to search for malicious files, review scheduled tasks, inspect registry keys, block C2 domains, and revoke the compromised certificate. The breach was limited to a two-hour window on January 20, 2026, affecting only customers downloading updates from a specific regional update cluster. eScan detected the issue internally through monitoring and customer reports on January 20, isolated the affected infrastructure within hours, and issued a security advisory on January 21. eScan disputes Morphisec's claims of being the first to discover or report the incident, stating it conducted proactive notifications and direct outreach to impacted customers. The incident did not involve a vulnerability in the eScan product itself but was due to unauthorized access to a regional update server configuration. The malicious update was signed with what appears to be eScan's code-signing certificate, but both Windows and VirusTotal show the signature as invalid. The command and control servers observed include hxxps://vhs.delrosal.net/i, hxxps://tumama.hns.to, hxxps://blackice.sol-domain.org, hxxps://codegiant.io/dd/dd/dd.git/download/main/middleware.ts, 504e1a42.host.njalla.net, and 185.241.208.115.

Timeline

  1. 26.01.2026 21:00 3 articles · 7d ago

    eScan Antivirus Supply Chain Compromise Delivers Signed Malware

    On January 20, 2026, a supply chain compromise in eScan antivirus products led to the distribution of multi-stage malware via legitimate update channels. The malware, signed with a compromised eScan certificate, established persistence, enabled remote access, and blocked further updates. Morphisec Threat Labs detected and mitigated the attack, while eScan took its update system offline for remediation. The malware modified system files and registry settings to prevent automatic remediation and communicated with external C2 infrastructure. Affected organizations are advised to search for malicious files, review scheduled tasks, inspect registry keys, block C2 domains, and revoke the compromised certificate. The breach was limited to a two-hour window on January 20, 2026, affecting only customers downloading updates from a specific regional update cluster. eScan detected the issue internally through monitoring and customer reports on January 20, isolated the affected infrastructure within hours, and issued a security advisory on January 21. eScan disputes Morphisec's claims of being the first to discover or report the incident, stating it conducted proactive notifications and direct outreach to impacted customers. The incident did not involve a vulnerability in the eScan product itself but was due to unauthorized access to a regional update server configuration. The malicious update was signed with what appears to be eScan's code-signing certificate, but both Windows and VirusTotal show the signature as invalid. The command and control servers observed include hxxps://vhs.delrosal.net/i, hxxps://tumama.hns.to, hxxps://blackice.sol-domain.org, hxxps://codegiant.io/dd/dd/dd.git/download/main/middleware.ts, 504e1a42.host.njalla.net, and 185.241.208.115. The malicious payload interferes with the regular functionality of the product, effectively preventing automatic remediation. The malware uses a legitimate file 'Reload.exe' located in 'C:\Program Files (x86)\escan\reload.exe' which is replaced with a rogue counterpart that can prevent further antivirus product updates by modifying the HOSTS file. The malware is signed with a fake, invalid digital signature. The malware uses UnmanagedPowerShell tool to execute a malicious PowerShell script inside the reload.exe process. The malware launches three Base64-encoded PowerShell payloads designed to tamper with the installed eScan solution, bypass Windows Antimalware Scan Interface (AMSI), and check whether the victim machine should be further infected. The malware replaces the 'C:\Program Files (x86)\eScan\CONSCTLX.exe' component with a malicious file. The malware changes the last update time of the eScan product to the current time by writing the current date to the 'C:\Program Files (x86)\eScan\Eupdate.ini' file. The malware performs validation procedures and sends an HTTP request to the attacker-controlled infrastructure to receive more PowerShell payloads for subsequent execution. The affected machines are mainly located in India, Bangladesh, Sri Lanka, and the Philippines. The attackers had to have studied the internals of eScan in detail to understand how its update mechanism worked and how it could be tampered with to distribute malicious updates.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active Exploitation of Critical Microsoft WSUS Flaw

A critical vulnerability in Microsoft Windows Server Update Service (WSUS), CVE-2025-59287, is being actively exploited in the wild. This flaw, with a CVSS score of 9.8, allows attackers to drop malicious payloads and execute arbitrary commands on infected hosts. The vulnerability affects WSUS versions 3.32.x and was discovered by Eye Security and Huntress. The Cybersecurity and Infrastructure Security Agency (CISA) has ordered U.S. government agencies to patch the flaw, which was added to the Known Exploited Vulnerabilities catalog. Organizations using WSUS are advised to apply the out-of-band security updates provided by Microsoft to mitigate the risk of exploitation. The flaw was originally patched by Microsoft as part of its Patch Tuesday updates, but attackers have since weaponized it to deploy .NET executables and Base64-encoded PowerShell scripts. Shadowserver is tracking over 2,800 WSUS instances with default ports exposed online. The vulnerability is a deserialization of untrusted data flaw that allows unauthenticated attackers to achieve remote code execution with system privileges by sending malicious encrypted cookies to the GetCookie() endpoint. A compromised WSUS server could potentially be used to distribute malicious updates to the entire network of client computers, making it particularly dangerous for large enterprises. Huntress advised isolating network access to WSUS and blocking inbound traffic to TCP ports 8530 and 8531 as remediation steps. The out-of-band (OOB) security update KB5070881 for CVE-2025-59287 broke hotpatching on some Windows Server 2025 devices. Microsoft has released a new update, KB5070893, to address the issue without disrupting hotpatching. Administrators are advised to install this update to maintain hotpatching functionality.

Open in new tab

Flax Typhoon APT Group Exploits ArcGIS for Persistent Access

The Flax Typhoon APT group, also tracked as Ethereal Panda and RedJuliett, exploited a legitimate ArcGIS application to establish a persistent backdoor for over a year. The attack involved modifying the ArcGIS server’s Java server object extension (SOE) to function as a web shell, enabling command execution, lateral movement, and data exfiltration. The malicious SOE persisted even after remediation and patching, highlighting the need for proactive threat hunting and treating all public-facing applications as high-risk assets. The group targeted a public-facing ArcGIS server connected to an internal server, compromising a portal administrator account and deploying a malicious SOE. They used a base64-encoded payload and a hardcoded key to execute commands and upload a renamed SoftEther VPN executable for long-term access. The attack targeted IT staff workstations within the scanned subnet, demonstrating the potential for significant operational disruption and data exposure. The attackers used a public-facing ArcGIS server connected to a private, internal ArcGIS server for backend computations, a common default configuration. They sent disguised commands to the portal server, creating a hidden system directory that became Flax Typhoon's private workspace. The attackers ensured the compromised component was included in system backups, turning the organization's own recovery plan into a guaranteed method of reinfection. ReliaQuest worked with the customer organization and Esri to fully evict Flax Typhoon actors from the environment, which included rebuilding the entire server stack and deploying custom detections for the threat activity. ReliaQuest urged organizations to treat all public-facing applications as high-risk assets and recommended security teams audit and harden such applications. The researchers also highlighted the need for behavioral analytics to complement signature-based detection, as Flax Typhoon did not use any malware or known malicious files. Strong credential hygiene was emphasized, noting that a weak administrator password gave the attackers a foothold in the organization's network. ReliaQuest recommended implementing multifactor authentication and practicing the principle of least privilege to enhance security. The ArcGIS geographic information system (GIS) is developed by Esri and supports server object extensions (SOE) that can extend basic functionality. The software is used by municipalities, utilities, and infrastructure operators to manage spatial and geographic data through maps. Researchers at cybersecurity company ReliaQuest have moderate confidence that the threat actor is Flax Typhoon. The attackers used valid administrator credentials to log into a public-facing ArcGIS server linked to a private, internal ArcGIS server. The malicious SOE accepted base64-encoded commands through a REST API parameter (layer) and executed them on the internal ArcGIS server. The exchange was protected by a hardcoded secret key, ensuring only the attackers had access to this backdoor. The attackers downloaded and installed SoftEther VPN Bridge, registering it as a Windows service that started automatically. The VPN established an outbound HTTPS tunnel to the attacker's server at 172.86.113[.]142, linking the victim's internal network to the threat actor's machine. The VPN used normal HTTPS traffic on port 443, blending with legitimate traffic, and remained active even if the SOE was detected and deleted. The attackers scanned the local network, moved laterally, accessed internal hosts, dumped credentials, or exfiltrated data using the VPN connection. The attackers targeted two workstations belonging to the target organization's IT staff, attempting to dump the Security Account Manager (SAM) database, security registry keys, and LSA secrets. Flax Typhoon is known for espionage campaigns to establish long-term, stealthy access through legitimate software. The FBI linked Flax Typhoon to the massive "Raptor Train" botnet, impacting the U.S. The Treasury's Office of Foreign Assets Control (OFAC) sanctioned companies that supported the state-sponsored hackers. Esri confirmed this is the first time an SOE has been used this way and will update their documentation to warn users of the risk of malicious SOEs. The attackers used the JavaSimpleRESTSOE ArcGIS extension to invoke a REST operation to run commands on the internal server via the public portal. The attackers specifically targeted two workstations belonging to IT personnel to obtain credentials and further burrow into the network. The attackers reset the password of the administrative account.

Open in new tab

Velociraptor DFIR Tool Abused in LockBit and Babuk Ransomware Campaigns

Threat actors, assessed to be China-based Storm-2603, have started using the Velociraptor digital forensics and incident response (DFIR) tool in ransomware attacks deploying LockBit and Babuk ransomware. The attackers exploited a privilege escalation vulnerability in an outdated version of Velociraptor to gain persistent access and control over virtual machines. The campaign involved creating local admin accounts, disabling security features, and using fileless PowerShell encryptors for data exfiltration and encryption. The ransomware deployed on Windows systems was identified as LockBit, while a Linux binary detected as Babuk ransomware was found on VMware ESXi systems. Storm-2603 initially exploited SharePoint vulnerabilities in July 2025 and deployed Warlock, LockBit, and Babuk ransomware on VMware ESXi servers in August 2025. Sophos CTU researchers first documented Velociraptor abuse by Storm-2603 on August 5, 2025. Storm-2603 used the ToolShell exploit to gain initial access and deployed an outdated version of Velociraptor (version 0.73.4.0) that is susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover. The group also used Smbexec to remotely launch programs using the SMB protocol and modified Active Directory (AD) Group Policy Objects (GPOs) to disable real-time protection. Storm-2603 established the infrastructure for the AK47 C2 framework in March 2025 and created the first prototype of the tool the next month. The group pivoted from LockBit-only deployment to dual LockBit/Warlock deployment in April 2025 and used the ToolShell exploit as a zero-day in July 2025. Storm-2603 demonstrated operational flexibility and sophisticated builder expertise using leaked and open-source ransomware frameworks.

Open in new tab

UNC5174 Exploits VMware Zero-Day Privilege Escalation Since October 2024

A China-linked threat actor, UNC5174, has been exploiting a zero-day privilege escalation vulnerability in VMware products since mid-October 2024. The flaw, CVE-2025-41244, affects multiple VMware products and allows local attackers to escalate privileges to root on affected virtual machines. The vulnerability was discovered in May 2025 and patched in VMware Tools 12.4.9 and later versions. The flaw is rooted in the get_version() function, which can be exploited by placing a malicious binary in a writable directory. UNC5174 has been observed using this method to gain elevated access and execute code on compromised systems. The exact payload and nature of the attacks remain unclear. Broadcom has confirmed the patch for the vulnerability in VMware Aria Operations and VMware Tools. NVISO released a proof-of-concept exploit demonstrating privilege escalation on vulnerable VMware software. UNC5174 has been linked to previous attacks on U.S. defense contractors, UK government entities, Asian institutions, and the cybersecurity firm SentinelOne, exploiting vulnerabilities such as F5 BIG-IP CVE-2023-46747 and ConnectWise ScreenConnect flaw. The exploitation of CVE-2025-41244 is considered trivial, potentially benefiting multiple malware strains. NVISO identified the vulnerability in mid-May 2025 during an incident response engagement with UNC5174. Broadcom disclosed three vulnerabilities on September 29, 2025, including CVE-2025-41244. The CVSS severity rating for CVE-2025-41244 is 7.8, classified as high. On October 31, 2025, CISA added CVE-2025-41244 to its Known Exploited Vulnerabilities catalog. FCEB agencies have until November 20, 2025, to patch their systems. CISA urged all organizations to prioritize patching this vulnerability.

Open in new tab

Gentlemen Ransomware Exploits Vulnerable Driver to Disable Security Software

The Gentlemen ransomware gang is using a vulnerable driver to disable security software in enterprise environments. The group employs a bring-your-own-vulnerable-driver (BYOVD) attack to terminate antivirus and extended detection and response (EDR) processes. The ransomware exploits CVE-2025-7771, a high-severity vulnerability in the ThrottleStop driver. The gang has demonstrated advanced capabilities, including tailored bypasses for specific security vendors. The attacks have been observed since this summer, with the group adapting its tactics mid-campaign. The use of legitimate, signed drivers complicates detection and defense. The ransomware was first observed this summer. The Gentlemens have been exploiting vulnerable, Internet-facing infrastructure and VPNs in their attacks. The group uses PowerRun.exe and Allpatch2.exe to escalate privileges and disable security products. Recently, the group targeted Oltenia Energy Complex, Romania's largest coal-based energy producer, on December 26, 2025. The attack encrypted documents and temporarily disabled several computer applications, including ERP systems, document management applications, the company's email service, and website. The company is cooperating with authorities and working to restore its IT systems using backups. Organizations are advised to implement zero-trust controls and monitor for unusual process combinations to defend against these attacks.

Open in new tab