Risky Bulletin: eScan antivirus distributes backdoor in latest supply chain attack

Written by

Catalin Cimpanu

News Editor

This newsletter is brought to you by Push Security. You can subscribe to an audio version of this newsletter as a podcast by searching for "Risky Business" in your podcatcher or subscribing via this RSS feed.

Cybersecurity firm MicroWorld Technologies, the maker of the eScan antivirus, has fallen victim to a cyberattack after an unidentified threat actor breached its software update infrastructure and deployed malware to customer environments.

The incident took place last week, on January 20, and only lasted for about an hour, according to reports from rival security firms Morphisec and Kaspersky, both of which spotted the malware being delivered to customer systems.

The final payload in the attack was a new backdoor hidden in the Reload.exe file that modified the eScan configuration to disable future updates and established a scheduled task for persistence on the infected host.

Once it had a foothold, it contacted a remote command and control server and downloaded another payload, a more specialized malware downloader.

eScan says the incident only affected one of its regional update servers, which it took offline and has since fixed.

Neither Morphisec nor eScan have attributed the attack to a specific group.

This is not eScan's first time dealing with a security breach. Back in 2024, security firm Avast also spotted North Korean state-sponsored hackers abusing the same eScan update mechanism to drop malware inside the networks of large corps.

Avast linked that attack to Kimsuky, one of North Korea's most successful and active cyber-espionage groups. At the time, Kimsuky deployed two different backdoors and a cryptominer.

Risky Business Podcasts

The main Risky Business podcast is now on YouTube with video versions of our recent episodes. Below is our latest weekly show with Pat and Adam at the helm!

Breaches, hacks, and security incidents

CISA security breach: The CISA interim head uploaded sensitive documents to ChatGPT last year. Madhu Gottumukkala allegedly requested special permission from CISA's tech team to use the app, which was banned at the time. According to Politico, the files were contracting documents and none were classified. There were multiple uploads. A review of the incident was conducted but never concluded.

Poland wiper attack impacted 30 locations: A Russian data wiper attack on Poland's energy impacted equipment at 30 locations. The attack targeted remote terminal units (RTUs), devices for remote monitoring parts of the energy infrastructure. According to industrial security firm Dragos, the wiper rendered the RTUs inoperable and beyond repair but did not crash the energy grid. The 30 impacted sites included heat-and-power plants and facilities that managed the dispatch of renewable energy from wind and solar sites. [Zero Day]

Pr0n app leak: An app that helped users quit their pr0n addition left its Firebase backend database exposed on the internet and leaked its users masturbation habits and sexual fantasies. [404 Media]

General tech and privacy

Apple adds new iPhone privacy feature: Apple is rolling out a new privacy setting for iPhone and iPad devices. The new feature will let users hide their precise location from their mobile and cell providers. Once enabled, telcos will be able to determine a user's general neighborhood but not their exact location on a street or home. The feature will be available for devices running iOS 26.3 or later.

Apple launches AirTag 2: Apple has launched its second generation of AirTag devices this week. They come with enhanced range and an enhanced UI. It also comes with unwanted tracking protection by default, something that was bolted on after launch in its first product back in 2021.

Crates gets a security tab: Rust libraries listed on the Crates portal now have a dedicated Security tab that lists recent vulnerabilities.

Amazon used CSAM for AI: Amazon has confirmed it used hundreds of thousands of suspected child sexual assault material to train its AI. [Bloomberg]

Class-action lawsuit over Grok's undressing feature: Individuals who were victimized using Grok's AI undressing feature have filed a class-action lawsuit against Twitter. [CyberScoop]

PornHub blocks UK users: Aylo, the company behind the world's largest adult site PornHub, says it will stop verifying its users age and just block UK visitors, calling the country's Online Safety Act (OSA) a "failed system."

Google settles Android class-action: Google has agreed to pay $135 million to settle a class action lawsuit. The company was accused of illegally using its users' mobile data to send location data to its servers without the user's knowledge or consent. This is the second class-action Google settled this week. It also settled a lawsuit for $68 million for illegally recording users via its voice assistant. [Bloomberg Law]

Android coming to the desktop: A Chrome bug report has leaked details for the first time about Android's upcoming desktop version. [9to5Google]

Android theft protection features: Google is adding UI elements in the settings section of Android devices to let users control a bunch of anti-theft features the company added last year in the background.

Government, politics, and policy

South Korea to notify users of breaches: The South Korean government will notify citizens when their data was exposed in a security breach. The new notification system will cover confirmed breaches, but also incidents still under investigation. The new provision is part of a new cybersecurity framework the government is working on following multiple high-profile breaches last year. [The Korea JoongAng Daily]

GDPR fines are rarely collected: Ireland's data protection agency has collected only 0.5% of all GDPR fines it has ever issued. The DPC has collected only €20 million of the €4.04 billion fines it issued since the GDPR entered into effect in 2016. The agency says most of the fines are trapped in legal appeals. Ireland is the home country for most foreign tech companies operating in the EU. [The Irish Times]

CyberCommand hacked disinfo farms: US CyberCommand conducted a secret operation that hacked foreign disinformation farms ahead of the US 2024 elections. The campaign targeted Russian and Iranian troll farms. Since winning the election, the Trump administration fired the CyberCommand lead and shut down most government programs meant to fight foreign disinformation. [CNN]

Latvia's annual intel report: The Latvian intelligence service has published its yearly report [PDF], which has a special section dedicated just to "cyber threats." Spoiler alert! It's all about Russia.

ENISA warns of lack of cyber investments: The head of the EU's cybersecurity agency says Europe is not investing enough in cybersecurity. ENISA head Juhan Lepassaar says the EU's recent investments in its security have failed to cover the cyber domain. Lepassaar says most EU startups currently rely on cybersecurity data from American orgs like CISA, MITRE, and others. [Politico Europe]

Sponsor section

In this Risky Business sponsor interview,Catalin Cimpanu talks with Luke Jennings, VP of Research & Development at Push Security, about ConsentFix, a new form of email-based social engineering attack used in the wild, an evolution of the ClickFix attack that goes after your identity.

Arrests, cybercrime, and threat intel

China executes scam compound execs: The Chinese government has carried out the death sentences of 11 individuals who ran cyber scam compounds in Myanmar. The suspects were executed after the court denied their appeal. All were sentenced to death in October and were members of the Ming crime family. Five other cyber scam compound operators linked to the Bai family are also awaiting their execution. [OCCRP]

US seizes RAMP forum: The FBI has seized the RAMP cybercrime forum. A RAMP admin confirmed the takedown in a post on a rival forum. The site had presences on the clear and dark web. It was routinely used to advertise and recruit for ransomware operations. [BleepingComputer]

Google disrupts IPIDEA proxy botnet: Google has obtained a court order and taken down domains linked to the IPIDEA residential proxy botnet. The company says the botnet had been used to hide the activities of multiple threat actors. The IPIDEA group runs multiple software development kits. The SDKs allow users to share their internet bandwidth, but their devices are secretly used to relay malicious traffic. Google will also start blocking Android apps that contain any of the SDKs. The team from Device and Browser Info have since released a list of all IPIDEA-linked proxy exit IPs.

Empire Market admin pleads guilty: One of the cofounders and administrators of the Empire underground market has pleaded guilty to federal drug charges. Raheim Hamilton and Thomas Pavey ran the dark web market from 2018 to 2020. The market was used to sell more than $375 million worth of drugs. Pavey pleaded guilty earlier this month to similar charges.

Kingdom Market admin pleads guilty: In a similar case, a Slovakian man also pleaded guilty to running Kingdom Market, another dark web illicit marketplace.

Crypto scammer sentenced: A US court has sentenced a Chinese national to 46 months in prison for laundering $37 million stolen by Cambodian crypto scam compounds. Jingliang Su was part of a network that controlled bank accounts in the Bahamas that converted the stolen funds into cryptocurrency. Su and seven others pleaded guilty last year.

Chinese crypto laundering ecosystem: Chinese services now account for a fifth of all on-chain money laundering operations. According to a new Chainalysis report, Chinese operators laundered more than $82 billion last year, up from just $10 billion in 2020. The growth was driven by law enforcement actions targeting rival services across Southeast Asia.

MongoDB ransom campaign still going strong: Almost half of all internet-exposed MongoDB servers have been hacked and are being held for ransom. Ransom notes have been found on more than 1,400 databases. The number of compromised hosts is far smaller than the tens of thousands of servers that were once online half-a-decade ago.

Punishing Owl: Positive Technologies looks at Punishing Owl, a new threat actor hacking and leaking data from Russian companies on the dark web.

TA584 profile: Proofpoint has published a profile on TA584, a prodigious initial access broker. The report focuses on their 2025 campaigns, which included a shift to ClickFix delivery and a new malware strain named TsundereBot.

SLH campaigns: Push Security looks at the recent hacks of the Scattered Lapsus$ Hunters group and its most recent campaign targeting Okta customers.

More Phantom Enigma: This is an old report from December that I missed about Phantom Enigma, a threat actor behind phishing campaigns in Brazil.

UAT-8099 and WEBJACK overlaps: Cisco Talos has found major overlaps between the UAT-8099 group and a malware campaign that plants malicious IIS modules known as WEBJACK.

AWS WorkMail abuse: Rapid7 has spotted threat actors abusing the AWS WorkMail service to "build phishing and spam infrastructure inside a compromised cloud environment."

HxSEO marketplace: Fortra's security team has published a profile on HxSEO, a marketplace for contracting blackhat SEO services.

Operation Bizarre Bazaar: Hackers are scanning the internet for misconfigured LLM servers and selling access to their computing power on specialized marketplaces. The campaign targets multiple LLM solutions, such as Ollama, vLLM, and various custom agents. Pillar Security has linked the attacks to a threat actor going by the name Hecker.

Malicious VSCode extension: Aikido Security has discovered a malicious VSCode extension posing as ClawdBot that deploys a malicious ScreenConnect instance.

And… another one: SecureAnnex also discovered a different one, but this one distributed via the Open VSX marketplace.

Cybercrime forums overview: Russian security firm Positive Technologies has published an overview of past and current hacking forums and the infrastructure they run on.

Malware technical reports

NFCShare: D3Lab looks at a sample of NFCShare, an Android trojan that tricks users into entering card details, scanning the NFC, and sharing their PIN. The trojan sends this data to an attacker, which then uses it for rogue transactions.

GhostChat spyware: ESET has discovered a new Android spyware strain named GhostChat. The attackers are using romance scams to target individuals in Pakistan.

ErrTraffic: The Ctrl-Alt-Int3l research group has published a report on ErrTrafic, a new cybercrime tool to automate the deployment of ClickFix social engineering lures and pages. The tool is currently being advertised on Russian-speaking hacking forums.

"Our analysis of ErrTraffic uncovered several recurring design flaws that could [lead] to full panel compromise, under certain conditions."

IClickFix: Threat actors are using a framework named IClickFix that can be used to build ClickFix pages on hacked WordPress sites. According to security firm Seqoia, the framework has been live on more than 3,800 sites since December 2024. The framework received significant updates last year as ClickFix attacks became widespread.

TOXICSNAKE TDS: The team at the Malware Files looks at a multi-domain traffic distribution they are calling as TOXICSNAKE.

EncystPHP: Fortinet's security team has published a technical analysis of EncystPHP, a new web shell being dropped in the wild on FreePBX telephony servers.

Interlock ransomware: Fortinet looks at the history and technical operations of the Interlock ransomware operation since its launch in March last year.

New offensive OT framework: Lab52 has spotted an "offensive OT framework" being sold on underground Telegram channels by a threat actor claiming to be Iranian.

PureRAT: Broadcom has published a report on PureRAT, a remote access trojan linked to a Vietnamese cybercrime group.

G_Wagon Infostealer: Snyk looks at G_Wagon Infostealer, an infostealer distributed through malicious npm packages this month.

Phantom Stealer: Threat researcher Manoj Kshirsagar has published a write-up on an XLoader campaign dropping the Phantom Stealer via malspam campaign.

Sponsor section

In this wholly sponsored Soap Box edition of the show, Patrick Gray chats with Adam Bateman and Luke Jennings from Push Security.

APTs, cyber-espionage, and info-ops

APT41's MoonBounce: Security researcher Clibm079 has published a technical analysis of MoonBounce, an UEFI firmware implant used in past APT41 operations.

"From my perspective, MoonBounce can be described as “patching the firmware execution core,” as it directly modifies the DXE Core’s executable code and embeds its logic into the core execution path. By doing so, it functions as an inline hook that executes before—and beneath—all DXE drivers, rather than existing as a separate driver or module. This represents a highly advanced and powerful boot-path-adaptive UEFI implant that supports both legacy (CSM) and pure UEFI boot paths, demonstrating a deep and precise understanding of the DXE internal execution flow, timing, and trust boundaries of the UEFI boot process."

Contagious Interview write-up: In case you're not bored of these write-ups, here's another one on Contagious Interview, a DPRK op targeting software devs with malware-laced job offers. [CodeCrank]

Labyrinth Chollima evolves into 3 groups: A major North Korean hacking group known as Labyrinth Chollima has separated and evolved into three distinct groups. According to CrowdStrike, the three operate independently but continue to share the same tooling. The core of Labyrinth Chollima continues to carry out cyber-espionage operations, while the newer Golden and Pressure Chollima target the cryptocurrency ecosystem.

Vulnerabilities, security research, and bug bounty

Apache bRPC vulnerability: CyberArk has published a write-up on a command injection vulnerability in Apache bRPC the company discovered with its AI tools. This is tracked as CVE-2025-60021 and has a CVSS of 9.8.

New Solarwinds deserialization bug: Horizon3 has discovered an unauth deserialization bug in the SolarWinds Web Help Desk that can lead to remote code execution. This is tracked as CVE-2025-40551.

Check Point LPE: AmberWolf researchers have published a write-up on an LPE bug in the Check Point Harmony platform. This was patched back in November.

Samsung MagicINFO RCE: In a two-part series, Source Incite looks at an RCE recently patched in the MagicINFO server, which is Samsung's digital signage system.

Thunderbird patches encrypted email exfil bug: Mozilla has patched a bug in Thunderbird that allowed a CSS-based exfil channel for content from partially-encrypted emails.

GnuPG security patches: The GnuPG (and Gpg4win) has released a security update to patch a vulnerability that can enable remote code execution. No CVE yet.

Command & Conquer RCE: Since many old games have now had their source published online, security researchers are combing their old code for bugs. The latest discovery is an RCE in Command & Conquer: Generals.

vm2 sandbox escape: Semgrep and Step Security have published breakdowns of CVE-2026-22709, a vulnerability that lets attackers escape the vm2 JavaScript-based sandboxing technology. The bug has a 9.8 score due to its ease of exploitation.

Most bug hunters are younglings: According to Bugcrowd's yearly report, almost 92% of bug bounty hunters are 34 or younger, making the profession a young man's game.

Clawdbot misconfiguration causes havoc: The developers of the Clawdbot AI agent framework (now rebranded as Moltbot) have shipped their product without security guardrails, which has led to developers building incredibly insecure apps. According to Intruder, Netskope, and Token Security, threat actors have exploited some of these apps by harvesting credentials from misconfigured instances or using Twitter replies for prompt injection attacks on some Clawdbot-based agents. AI… fun fun fun!

Infosec industry

New tool—Chronix: Security researcher Tyrrell Brewster has released Chronix, a self-hosted collaborative workspace for pentesters and red team operators.

Threat/trend reports: BlackFog, Bugcrowd, Canada's Cyber Centre, Chainalysis, Check Point, Cisco Talos, Incogni, Project Discovery, Quorum Cyber, Sonatype, Sumo Logic, and Zscaler have recently published reports and summaries covering various threats and infosec industry trends.

Risky Business podcasts

In this edition of Seriously Risky Business, Tom Uren and Amberleigh Jack talk about the Pall Mall Process, an international effort to reign in abusive spyware. The pair also discuss news that Chinese Salt Typhoon hackers compromised the calls of senior UK officials in Downing Street.

In this edition of Between Two Nerds, Tom Uren and The Grugq discuss how getting pinged hurts state hackers by introducing uncertainty. Publishing technical reports on the hack can actually improve the situation by removing uncertainty about how attackers were detected.