Security researchers have uncovered a sophisticated supply chain attack targeting eScan antivirus users worldwide. Attackers compromised the software vendor's update infrastructure on January 20, 2026, distributing malicious payloads to enterprise and consumer systems during a two-hour window that affected hundreds of machines across India, Bangladesh, Sri Lanka, and the Philippines.

Morphisec researchers first identified the compromise when they detected unusual activity in eScan's update mechanism. MicroWorld Technologies, the company behind eScan, confirmed the unauthorized access and immediately isolated affected servers, which remained offline for over eight hours while the incident was contained. Kaspersky's telemetry later revealed the scope of infection attempts across both individual users and organizations.

The attack deployed multiple malware components through the compromised update channel. The primary payload, a malicious file named Reload.exe, replaced legitimate eScan components and was designed to prevent future antivirus updates by modifying the system HOSTS file. The malware included AMSI bypass capabilities and executed Base64-encoded PowerShell scripts to evade detection. A secondary payload replaced another legitimate file with code that launched additional PowerShell-based malware.

Technical analysis revealed sophisticated evasion techniques employed by the attackers. The malicious Reload.exe carried a fake digital signature to appear legitimate, while victim validation checks ensured payloads were only delivered to systems without security analysis tools. The malware also modified configuration files to simulate normal update operation, making detection more difficult for affected users.

MicroWorld Technologies has released patches to revert the malicious changes and restore normal operation. Affected organizations are urged to contact the vendor directly to obtain the security fixes. Security experts recommend that all eScan users verify their installation integrity and monitor systems for indicators of compromise, particularly any unexpected HOSTS file modifications or suspicious PowerShell activity.