{ "type": "Domain", "indicator": "codegiant.io", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/codegiant.io", "alexa": "http://www.alexa.com/siteinfo/codegiant.io", "indicator": "codegiant.io", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4189474351, "indicator": "codegiant.io", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "697c6602a05aa853f501b1d6", "name": "Supply chain attack on eScan antivirus: detecting and remediating malicious updates", "description": "On January 20, a significant supply chain attack impacted eScan antivirus, a product by MicroWorld Technologies. The attackers compromised one of the regional update servers and distributed a malicious file named Reload.exe to users of the antivirus software. This malware initiated a multi-stage infection process and effectively crippled the antivirus's ability to receive subsequent updates by altering the HOSTS file. This action blocked legitimate update communications, leading to errors in the update service.\n\nInvestigations into the attack revealed that the malicious Reload.exe file was not inserted due to a vulnerability in the software itself but rather through unauthorized access to the update infrastructure. The attackers deployed this malware under the guise of a fake invalid digital signature, which facilitated its acceptance as a legitimate update by unsuspecting users.", "modified": "2026-03-01T11:01:20.435000", "created": "2026-01-30T08:04:18.871000", "tags": [ "supply-chain attack", "january", "morphisec", "microworld", "users", "hosts file", "coreldefrag", "kaspersky", "kaspersky next", "several", "morphisec blog", "evasive panda", "cloud atlas" ], "references": [ "https://securelist.com/escan-supply-chain-attack/118688/", "https://www.morphisec.com/blog/critical-escan-threat-bulletin/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1565.001", "name": "Stored Data Manipulation", "display_name": "T1565.001 - Stored Data Manipulation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 2, "hostname": 8, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "92 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697c2444d02d93caaf694916", "name": "IOC - Threat Bulletin: Critical eScan Supply Chain Compromise", "description": "On January 20, 2026, Morphisec identified an active supply chain compromise affecting MicroWorld Technologies\u2019 eScan antivirus product. Malicious updates were distributed through eScan\u2019s legitimate update infrastructure, resulting in the deployment of multi-stage malware to enterprise and consumer endpoints globally.", "modified": "2026-03-01T03:00:28.549000", "created": "2026-01-30T03:23:48.376000", "tags": [ "sha256", "trojanized", "component", "hashes", "additional", "virustotal", "code", "certificate", "microworld", "command" ], "references": [ "https://www.morphisec.com/blog/critical-escan-threat-bulletin/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 2, "domain": 1, "hostname": 3 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697c06c0ecff909922a7de0b", "name": "eScan Antivirus Update Server\u000bCompromised to Distribute \u000bMulti Stage Malware", "description": "Threat actors compromised eScan's update infrastructure, delivering multi-stage malware to both enterprise and consumer systems.", "modified": "2026-03-01T01:02:46.153000", "created": "2026-01-30T01:17:52.026000", "tags": [ "https", "hashes", "sha256", "domains", "ip address" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 2, "domain": 1, "hostname": 3 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://securelist.com/escan-supply-chain-attack/118688/", "https://www.morphisec.com/blog/critical-escan-threat-bulletin/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "697c6602a05aa853f501b1d6", "name": "Supply chain attack on eScan antivirus: detecting and remediating malicious updates", "description": "On January 20, a significant supply chain attack impacted eScan antivirus, a product by MicroWorld Technologies. The attackers compromised one of the regional update servers and distributed a malicious file named Reload.exe to users of the antivirus software. This malware initiated a multi-stage infection process and effectively crippled the antivirus's ability to receive subsequent updates by altering the HOSTS file. This action blocked legitimate update communications, leading to errors in the update service.\n\nInvestigations into the attack revealed that the malicious Reload.exe file was not inserted due to a vulnerability in the software itself but rather through unauthorized access to the update infrastructure. The attackers deployed this malware under the guise of a fake invalid digital signature, which facilitated its acceptance as a legitimate update by unsuspecting users.", "modified": "2026-03-01T11:01:20.435000", "created": "2026-01-30T08:04:18.871000", "tags": [ "supply-chain attack", "january", "morphisec", "microworld", "users", "hosts file", "coreldefrag", "kaspersky", "kaspersky next", "several", "morphisec blog", "evasive panda", "cloud atlas" ], "references": [ "https://securelist.com/escan-supply-chain-attack/118688/", "https://www.morphisec.com/blog/critical-escan-threat-bulletin/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1565.001", "name": "Stored Data Manipulation", "display_name": "T1565.001 - Stored Data Manipulation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 2, "hostname": 8, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 540, "modified_text": "92 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697c2444d02d93caaf694916", "name": "IOC - Threat Bulletin: Critical eScan Supply Chain Compromise", "description": "On January 20, 2026, Morphisec identified an active supply chain compromise affecting MicroWorld Technologies\u2019 eScan antivirus product. Malicious updates were distributed through eScan\u2019s legitimate update infrastructure, resulting in the deployment of multi-stage malware to enterprise and consumer endpoints globally.", "modified": "2026-03-01T03:00:28.549000", "created": "2026-01-30T03:23:48.376000", "tags": [ "sha256", "trojanized", "component", "hashes", "additional", "virustotal", "code", "certificate", "microworld", "command" ], "references": [ "https://www.morphisec.com/blog/critical-escan-threat-bulletin/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 3, "FileHash-SHA1": 4, "FileHash-SHA256": 4, "URL": 2, "domain": 1, "hostname": 3 }, "indicator_count": 17, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "697c06c0ecff909922a7de0b", "name": "eScan Antivirus Update Server\u000bCompromised to Distribute \u000bMulti Stage Malware", "description": "Threat actors compromised eScan's update infrastructure, delivering multi-stage malware to both enterprise and consumer systems.", "modified": "2026-03-01T01:02:46.153000", "created": "2026-01-30T01:17:52.026000", "tags": [ "https", "hashes", "sha256", "domains", "ip address" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 2, "domain": 1, "hostname": 3 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 501, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "codegiant.io", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "codegiant.io", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780396579.5008414 }