You hardly expect an antivirus to be the thing that breaks the trust. But that’s exactly what happened with eScan this month.
On January 20, researchers identified a critical supply-chain compromise affecting MicroWorld Technologies’ eScan antivirus. Instead of stopping malware, the product’s own update mechanism was used to deliver it. Legitimate updates, pushed through eScan’s infrastructure, carried a multi-stage malware payload to both enterprise and consumer systems.
According to Morphisec Threat Labs, the malicious updates were digitally signed using a compromised eScan certificate, meaning they looked authentic and slipped past normal trust checks. For affected users, nothing appeared wrong—until it was.
Once installed, the malware went to work. It established persistence, enabled remote access, and then did something especially troubling: it cut the system off from future updates. By modifying Windows hosts files and eScan registry settings, the malware blocked connections to eScan’s own update servers. In other words, the fix couldn’t reach the machines that needed it most.
This wasn’t a single-step infection. The initial payload replaced a legitimate 32-bit eScan component, which then dropped additional stages, including a downloader and a 64-bit backdoor with full remote access capabilities. Persistence mechanisms were disguised as routine Windows defragmentation tasks and hidden behind randomly generated registry entries, subtle enough to blend into normal system noise.
For users, the impact is straightforward and uncomfortable. An antivirus update became the entry point. Automatic remediation failed by design. And without external detection tools in place, many systems would have remained compromised indefinitely.
Morphisec says it detected and blocked the malicious behaviour on protected systems within hours and contacted MicroWorld the same day. eScan, for its part, says it isolated the affected infrastructure within an hour and took its global update system offline for over eight hours. Still, remediation hasn’t been frictionless. Morphisec reports that customers had to proactively reach out to eScan for cleanup support, even as the vendor said users were being notified directly.
What makes this incident resonate beyond eScan is how familiar it feels. It echoes past supply-chain attacks like the 3CX compromise, where attackers moved laterally through trusted software and signed updates to reach thousands of downstream victims. Different vendor, same lesson: trust relationships are still one of the softest targets in security.
How affected organisations should respond
For organisations still running eScan, the guidance is blunt. Assume compromise on unprotected systems. Isolate affected machines. Conduct full forensic reviews. As of publication, no public advisory has been issued, and the investigation remains ongoing.
This incident reinforces an uncomfortable reality. Security tools are no longer neutral by default. They are high-value targets, and when they fail, the blast radius is wide. Supply-chain security is about how quickly customers can detect, verify, and recover when trust breaks.
Ogbonda Chivumnovu
