The update infrastructure of eScan antivirus, developed by Indian cybersecurity firm MicroWorld Technologies, was compromised in a rare and highly concerning supply-chain attack that enabled attackers to distribute multi-stage malware to enterprise and consumer systems.
Security firm Morphisec reported that threat actors exploited eScan’s legitimate update mechanism to push a malicious update during a brief window of approximately two hours on January 20, 2026. The tainted update installed a persistent downloader designed to disable core security functions, block future updates, and fetch additional malicious payloads. According to Morphisec researcher Michael Gorelik, the malware deliberately interfered with the antivirus product itself, preventing automatic detection and remediation.
MicroWorld Technologies confirmed that the incident stemmed from unauthorized access to one of its regional update server configurations. The affected servers were immediately isolated and taken offline for more than eight hours, and a remediation patch was released to revert all malicious changes. Impacted customers were advised to contact eScan support to ensure their systems were fully cleaned and secured.
Further analysis by Kaspersky revealed that attackers replaced a legitimate eScan component, reload.exe, with a malicious version signed using an invalid digital certificate. The rogue file modified the system’s HOSTS file to block antivirus updates and executed PowerShell-based payloads while bypassing the Windows Antimalware Scan Interface (AMSI).
The malware performed extensive system validation, scanning for analysis tools and competing security products. If such tools were detected, the infection chain terminated—an apparent attempt to evade security researchers. On validated systems, additional payloads were downloaded, persistence was established via scheduled tasks, and update timestamps were falsified to conceal the compromise.
Kaspersky telemetry shows that hundreds of systems were targeted, primarily across India, Bangladesh, Sri Lanka, and the Philippines. Experts noted that the attackers demonstrated deep knowledge of eScan’s internal architecture.
The incident highlights the growing threat to trusted software supply chains and underscores that even security vendors are not immune to sophisticated compromise.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.
