• UPD 30.01.2026: Added technical details about the attack chain and more IoCs. • On January 20, a supply chain attack has occurred, with the infected software being the eScan antivirus developed by the Indian company MicroWorld Technologies. • The previously unknown malware was distributed through the eScan update server. • The same day, our security solutions detected and prevented cyberattacks involving this malware. • On January 21, having been informed by Morphisec, the developers of eScan contained the security incident related to the attack. • Malicious software used in the attack Users of the eScan security product received a malicious Reload.exe file, which initiated a multi-stage infection chain.
Article Summaries:
- On January 20, 2026, a supply‑chain attack targeted the eScan antivirus from MicroWorld Technologies. Attackers accessed a regional update server and replaced the legitimate Reload.exe file with a malicious executable bearing a fake digital signature. The malware blocked further updates by modifying the HOSTS file, established persistence through scheduled tasks (e.g., “CorelDefrag”), and communicated with command‑and‑control servers to download additional payloads. Security vendors Morphisec detected and halted the attacks the same day, and eScan developers isolated the compromised infrastructure, reset credentials, and contained the incident by January 21. The breach mainly affected users in South Asia, with hundreds of infected machines identified.
Sources: