{ "type": "URL", "indicator": "https://codegiant.io/dd/dd/dd.git/download/main/middleware.ts", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://codegiant.io/dd/dd/dd.git/download/main/middleware.ts", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4189637898, "indicator": "https://codegiant.io/dd/dd/dd.git/download/main/middleware.ts", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "697b96e3866d3c1d9326032c", "name": "Supply chain attack: what you should know", "description": "A supply chain attack targeted the eScan antivirus software, distributing malware through the update server. The attack, detected on January 20, involved a malicious Reload.exe file that initiated a multi-stage infection chain. This malware prevented further antivirus updates, ensured persistence through scheduled tasks, and communicated with control servers to download additional payloads. Attackers gained unauthorized access to a regional update server, deploying a malicious file with a fake digital signature. eScan developers quickly isolated the affected infrastructure and reset access credentials. Users are advised to check for infection signs, use a provided removal utility, and block known malware control server addresses. Kaspersky's security solutions successfully detect the malware used in this attack.", "modified": "2026-02-02T20:56:33.346000", "created": "2026-01-29T17:20:35.658000", "tags": [ "malware", "persistence", "escan", "unauthorized access", "digital signature", "supply chain", "consctlx.exe", "scheduled tasks", "reload.exe", "antivirus" ], "references": [ "https://securelist.com/escan-supply-chain-attack/118688/" ], "public": 1, "adversary": "", "targeted_countries": [ "British Indian Ocean Territory", "India" ], "malware_families": [ { "id": "Reload.exe", "display_name": "Reload.exe", "target": null }, { "id": "consctlx.exe", "display_name": "consctlx.exe", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 4, "hostname": 3, "FileHash-SHA1": 5, "FileHash-SHA256": 3 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 386913, "modified_text": "119 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697c6602a05aa853f501b1d6", "name": "Supply chain attack on eScan antivirus: detecting and remediating malicious updates", "description": "On January 20, a significant supply chain attack impacted eScan antivirus, a product by MicroWorld Technologies. The attackers compromised one of the regional update servers and distributed a malicious file named Reload.exe to users of the antivirus software. This malware initiated a multi-stage infection process and effectively crippled the antivirus's ability to receive subsequent updates by altering the HOSTS file. This action blocked legitimate update communications, leading to errors in the update service.\n\nInvestigations into the attack revealed that the malicious Reload.exe file was not inserted due to a vulnerability in the software itself but rather through unauthorized access to the update infrastructure. The attackers deployed this malware under the guise of a fake invalid digital signature, which facilitated its acceptance as a legitimate update by unsuspecting users.", "modified": "2026-03-01T11:01:20.435000", "created": "2026-01-30T08:04:18.871000", "tags": [ "supply-chain attack", "january", "morphisec", "microworld", "users", "hosts file", "coreldefrag", "kaspersky", "kaspersky next", "several", "morphisec blog", "evasive panda", "cloud atlas" ], "references": [ "https://securelist.com/escan-supply-chain-attack/118688/", "https://www.morphisec.com/blog/critical-escan-threat-bulletin/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1565.001", "name": "Stored Data Manipulation", "display_name": "T1565.001 - Stored Data Manipulation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 2, "hostname": 8, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://www.morphisec.com/blog/critical-escan-threat-bulletin/", "https://securelist.com/escan-supply-chain-attack/118688/" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Reload.exe", "Consctlx.exe" ], "industries": [], "unique_indicators": 15 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 26 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/codegiant.io", "whois": "http://whois.domaintools.com/codegiant.io", "domain": "codegiant.io", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "697b96e3866d3c1d9326032c", "name": "Supply chain attack: what you should know", "description": "A supply chain attack targeted the eScan antivirus software, distributing malware through the update server. The attack, detected on January 20, involved a malicious Reload.exe file that initiated a multi-stage infection chain. This malware prevented further antivirus updates, ensured persistence through scheduled tasks, and communicated with control servers to download additional payloads. Attackers gained unauthorized access to a regional update server, deploying a malicious file with a fake digital signature. eScan developers quickly isolated the affected infrastructure and reset access credentials. Users are advised to check for infection signs, use a provided removal utility, and block known malware control server addresses. Kaspersky's security solutions successfully detect the malware used in this attack.", "modified": "2026-02-02T20:56:33.346000", "created": "2026-01-29T17:20:35.658000", "tags": [ "malware", "persistence", "escan", "unauthorized access", "digital signature", "supply chain", "consctlx.exe", "scheduled tasks", "reload.exe", "antivirus" ], "references": [ "https://securelist.com/escan-supply-chain-attack/118688/" ], "public": 1, "adversary": "", "targeted_countries": [ "British Indian Ocean Territory", "India" ], "malware_families": [ { "id": "Reload.exe", "display_name": "Reload.exe", "target": null }, { "id": "consctlx.exe", "display_name": "consctlx.exe", "target": null } ], "attack_ids": [ { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 14, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 4, "hostname": 3, "FileHash-SHA1": 5, "FileHash-SHA256": 3 }, "indicator_count": 15, "is_author": false, "is_subscribing": null, "subscriber_count": 386913, "modified_text": "119 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "697c6602a05aa853f501b1d6", "name": "Supply chain attack on eScan antivirus: detecting and remediating malicious updates", "description": "On January 20, a significant supply chain attack impacted eScan antivirus, a product by MicroWorld Technologies. The attackers compromised one of the regional update servers and distributed a malicious file named Reload.exe to users of the antivirus software. This malware initiated a multi-stage infection process and effectively crippled the antivirus's ability to receive subsequent updates by altering the HOSTS file. This action blocked legitimate update communications, leading to errors in the update service.\n\nInvestigations into the attack revealed that the malicious Reload.exe file was not inserted due to a vulnerability in the software itself but rather through unauthorized access to the update infrastructure. The attackers deployed this malware under the guise of a fake invalid digital signature, which facilitated its acceptance as a legitimate update by unsuspecting users.", "modified": "2026-03-01T11:01:20.435000", "created": "2026-01-30T08:04:18.871000", "tags": [ "supply-chain attack", "january", "morphisec", "microworld", "users", "hosts file", "coreldefrag", "kaspersky", "kaspersky next", "several", "morphisec blog", "evasive panda", "cloud atlas" ], "references": [ "https://securelist.com/escan-supply-chain-attack/118688/", "https://www.morphisec.com/blog/critical-escan-threat-bulletin/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1014", "name": "Rootkit", "display_name": "T1014 - Rootkit" }, { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1199", "name": "Trusted Relationship", "display_name": "T1199 - Trusted Relationship" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1565.001", "name": "Stored Data Manipulation", "display_name": "T1565.001 - Stored Data Manipulation" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 6, "domain": 2, "hostname": 8, "FileHash-MD5": 4, "FileHash-SHA1": 4, "FileHash-SHA256": 4 }, "indicator_count": 28, "is_author": false, "is_subscribing": null, "subscriber_count": 542, "modified_text": "93 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://codegiant.io/dd/dd/dd.git/download/main/middleware.ts", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://codegiant.io/dd/dd/dd.git/download/main/middleware.ts", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780415622.5414338 }