← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Supply chain attack on eScan antivirus: detecting and remediating malicious updates
WHITE PetrP.73 2026-01-30 Modified: 2026-03-01
28
IOCs
MEDIUM VOLUME
On January 20, a significant supply chain attack impacted eScan antivirus, a product by MicroWorld Technologies. The attackers compromised one of the regional update servers and distributed a malicious file named Reload.exe to users of the antivirus software. This malware initiated a multi-stage infection process and effectively crippled the antivirus's ability to receive subsequent updates by altering the HOSTS file. This action blocked legitimate update communications, leading to errors in the update service. Investigations into the attack revealed that the malicious Reload.exe file was not inserted due to a vulnerability in the software itself but rather through unauthorized access to the update infrastructure. The attackers deployed this malware under the guise of a fake invalid digital signature, which facilitated its acceptance as a legitimate update by unsuspecting users.
supply-chain attackjanuarymorphisecmicroworldusershosts filecoreldefragkasperskykaspersky nextseveralmorphisec blogevasive pandacloud atlas
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (28)
All URL domain hostname FileHash-MD5 FileHash-SHA1 FileHash-SHA256
TYPEINDICATORDESCRIPTIONCREATED
URL https://blackice.sol-domain.org 2026-01-30
URL https://codegiant.io/dd/dd/dd.git/download/main/middleware.ts 2026-01-30
URL https://csc.biologii.net/sooc 2026-01-30
URL https://vhs.delrosal.net/i 2026-01-30
domain codegiant.io 2026-01-30
hostname blackice.sol-domain.org 2026-01-30
hostname csc.biologii.net 2026-01-30
hostname vhs.delrosal.net 2026-01-30
hostname airanks.hns.to 2026-01-30
hostname tumama.hns.to 2026-01-30
FileHash-MD5 8c96e393be264bce1789a93b59cb6853 MD5 of bec369597633eac7cc27a698288e4ae8d12bdd9b01946e73a28e1423b17252b1 2026-01-30
FileHash-SHA1 2d2d58700a40642e189f3f1ccea41337486947f5 SHA1 of bec369597633eac7cc27a698288e4ae8d12bdd9b01946e73a28e1423b17252b1 2026-01-30
FileHash-SHA256 bec369597633eac7cc27a698288e4ae8d12bdd9b01946e73a28e1423b17252b1 2026-01-30
URL http://codegiant.io/dd/dd/dd.git/download/main/middleware.ts 2026-01-30
URL http://vhs.delrosal.net/i 2026-01-30
domain codegiant.io 2026-01-30
hostname 504e1a42.host.njalla.net 2026-01-30
hostname blackice.sol-domain.org 2026-01-30
hostname vhs.delrosal.net 2026-01-30
FileHash-MD5 350b82fa70888eee712fb08fed90a14d MD5 of 386a16926aff225abc31f73e8e040ac0c53fb093e7daf3fbd6903c157d88958c 2026-01-30
FileHash-MD5 b6373e6f0e6dcd2fbe8cb437a3130ac1 MD5 of 674943387cc7e0fd18d0d6278e6e4f7a0f3059ee6ef94e0976fae6954ffd40dd 2026-01-30
FileHash-SHA1 1617949c0c9daa2d2a5a80f1028aeb95ce1c0dee SHA1 of 386a16926aff225abc31f73e8e040ac0c53fb093e7daf3fbd6903c157d88958c 2026-01-30
FileHash-SHA1 a928bddfaa536c11c28c8d2c5d16e27cbeaf6357 SHA1 of 674943387cc7e0fd18d0d6278e6e4f7a0f3059ee6ef94e0976fae6954ffd40dd 2026-01-30
FileHash-SHA256 386a16926aff225abc31f73e8e040ac0c53fb093e7daf3fbd6903c157d88958c 2026-01-30
FileHash-SHA256 674943387cc7e0fd18d0d6278e6e4f7a0f3059ee6ef94e0976fae6954ffd40dd 2026-01-30
FileHash-MD5 d7cfa6b8e51dea972107a92eedc1cbf0 MD5 of 36ef2ec9ada035c56644f677dab65946798575e1d8b14f1365f22d7c68269860 2026-01-30
FileHash-SHA1 ebaf9715d7f34a77a6e1fd455fe0702274958e20 SHA1 of 36ef2ec9ada035c56644f677dab65946798575e1d8b14f1365f22d7c68269860 2026-01-30
FileHash-SHA256 36ef2ec9ada035c56644f677dab65946798575e1d8b14f1365f22d7c68269860 2026-01-30
References (2)
↗ https://securelist.com/escan-supply-chain-attack/118688/ ↗ https://www.morphisec.com/blog/critical-escan-threat-bulletin/