Security Check-in Quick Hits: eScan Supply Chain Attack, SonicWall Ransomware Fallout, Microsoft Office Zero-Day, Ivanti EPMM Flaws, Notepad++ Hack, AI Prompt Injection Surge, Aisuru Botnet DDoS
For February 3, 2026
Unpacking the eScan Antivirus Supply Chain Compromise
In a stark reminder of the vulnerabilities in security software ecosystems, eScan antivirus—developed by India’s MicroWorld Technologies—fell victim to a sophisticated supply chain attack on January 20, 2026. Attackers breached a regional update server, distributing a trojanized “reload.exe” file primarily to users in South Asia. This malware, signed with a forged certificate, employed PowerShell payloads to alter registry entries, delete essential files, and manipulate the hosts file to block legitimate updates by redirecting domains to a non-routable IP address. The attack persisted for about two hours, connecting to command-and-control (C2) servers for further payloads, effectively preventing automatic remediation and necessitating manual interventions.
The impact was significant, as it turned a trusted antivirus update channel into a malware delivery mechanism, echoing high-profile breaches like SolarWinds and MOVEit. MicroWorld quickly isolated the affected servers and urged users to contact support for patches, confirming the incident stemmed from unauthorized access. This event underscores the escalating risks in supply chains, where even security tools can become attack vectors.
To mitigate such threats, organizations should implement end-to-end supply chain verification, regular code signing audits, and behavioral monitoring systems. Staying vigilant with multi-layered defenses is crucial in an era where attackers exploit the very tools designed to protect us.
SonicWall Vulnerability Sparks Ransomware Chaos at Marquis
A critical vulnerability in SonicWall firewalls, identified as CVE-2025-53704, has led to widespread fallout, most notably in a ransomware attack on fintech provider Marquis Software Solutions. Exploited since August 2025, the flaw leaks swap cookies and session IDs, allowing attackers to steal SSL VPN credentials and pivot into connected systems. In Marquis’ case, this resulted in ransomware deployment affecting over 74 U.S. banks and credit unions, compromising personal data of more than 400,000 customers—including names, addresses, and financial details. The attack also hit cloud backups, amplifying the damage. Marquis explicitly linked the breach to the SonicWall exploit in internal memos, revealing that over 100 SonicWall accounts were compromised in the broader campaign.
This incident highlights the cascading effects of third-party vulnerabilities in interconnected supply chains, where a single flaw can ripple through financial institutions, eroding trust and causing operational disruptions. SonicWall has urged immediate patching, but the damage illustrates how unpatched systems become gateways for sophisticated threats.
Recommendations include enforcing multi-factor authentication (MFA), aggressive patching protocols, and network segmentation to limit lateral movement. Financial sectors must prioritize vendor risk assessments and assume breach scenarios to bolster resilience against such chained attacks.
Microsoft Office Zero-Day: A Gateway to Bypassing Protections
Microsoft recently patched a high-severity zero-day vulnerability in Office, dubbed CVE-2026-21509 (CVSS 7.8), which has been actively exploited in the wild. This security feature bypass flaw exploits untrusted inputs to evade Object Linking and Embedding (OLE) mitigations in Microsoft 365 and Office suites, allowing attackers to circumvent protections against vulnerable COM/OLE controls. While specifics on the exploitation chain remain limited, it enables local attackers to execute arbitrary code or bypass security prompts through malicious documents.
Federal agencies have been mandated to patch by mid-February 2026, underscoring the urgency. The flaw’s exploitation aligns with broader trends in office productivity software being weaponized for initial access in targeted campaigns.
Impacts could include unauthorized code execution, data theft, or persistence in enterprise environments. To counter this, users should apply the latest patches immediately, enable Protected View for untrusted documents, and deploy endpoint detection tools. This patch serves as a critical reminder to treat office files with caution and integrate zero-trust principles into document handling workflows.
Ivanti EPMM Zero-Days Under Active Exploitation
Ivanti has addressed two zero-day remote code execution (RCE) vulnerabilities in its Endpoint Manager Mobile (EPMM) product, CVE-2026-1281 and CVE-2026-1340, which enable unauthenticated attackers to inject and execute arbitrary code. These flaws have seen limited but confirmed exploitation, with a proof-of-concept (PoC) publicly available since January 30, 2026. Compromised systems risk exposure of personally identifiable information (PII), such as names, emails, phone numbers, GPS data, and device details, posing severe privacy and security threats to managed endpoints.
Added to CISA’s Known Exploited Vulnerabilities catalog, these issues demand swift action from affected customers. The attacks exploit misconfigurations or unpatched instances, allowing remote takeovers.
Organizations using Ivanti EPMM should apply the updates without delay, conduct vulnerability scans, and monitor for anomalous activity. Implementing least-privilege access, network segmentation, and regular audits can further reduce risks. This incident reinforces the need for proactive patch management in endpoint security tools, where delays can lead to widespread compromises.
Notepad++ Supply Chain Hack: A Wake-Up Call for Open-Source Tools
Notepad++, a staple open-source text editor, was targeted in a six-month supply chain attack from June to December 2025, attributed to Chinese state-sponsored actors. Rather than altering the code itself, attackers compromised the shared hosting provider for notepad-plus-plus.org, intercepting update requests from the built-in updater (GUP.exe). Selective victims—primarily in telecom, finance, and East Asian organizations—were redirected to malicious servers, downloading trojanized executables disguised as legitimate patches.
Discovery came in December 2025 via security researcher Kevin Beaumont, who linked incidents to suspicious Notepad++ processes. The project’s maintainer, Don Ho, confirmed the breach, leading to hardened updates: version 8.8.8 restricted to GitHub, and 8.8.9 added signature validation, with XMLDSig enhancements in later releases.
This selective attack avoided mass infection but enabled espionage and persistence in high-value targets. Users who updated via the built-in tool during the period, especially in targeted sectors, should investigate for indicators like anomalous files in %TEMP%.
Lessons include verifying update signatures, preferring direct GitHub downloads, and scrutinizing third-party infrastructure. Even small open-source projects are prime targets, demanding robust security practices to safeguard users.
Rising AI Threats: Prompt Injection, Deepfakes, and Agency Abuse
2026 is witnessing a surge in AI-related vulnerabilities, with prompt injection topping the list for large language models (LLMs), including exploits like EchoLeak (CVE-2025-32711) for data exfiltration. Agentic AI systems face “agency abuse,” such as goal-hijacking via memory poisoning, potentially causing more breaches than human errors. Deepfakes are proliferating, enabling hyper-personalized scams targeting executives and governments, with 29% of professionals reporting sightings. Additional risks include AI-amplified phishing, model poisoning, and non-human identity sprawl, where AI agents may outnumber humans 80:1.
The LLMJacking campaign exemplifies this, hijacking exposed AI endpoints like Ollama for resource theft and resale on underground markets. Meanwhile, the conviction of former Google engineer Linwei Ding for stealing AI hardware secrets highlights insider threats in tech rivalry.
These issues erode digital trust and amplify attack surfaces. Mitigation strategies involve outcome assurance, red-teaming exercises, zero-trust architectures for AI, and deepfake detection tools. As AI integrates deeper into operations, securing prompts, endpoints, and data flows is essential to prevent exploitation.
Aisuru Botnet Sets New DDoS Record Amid Disruptions
The Aisuru botnet, alias Kimwolf, shattered records with a 31.4 Tbps DDoS attack on December 19, 2025, during the “The Night Before Christmas” campaign against telecom firms, exceeding its prior 29.7 Tbps mark. Peaking at over 200 million HTTP requests per second, the assault was mitigated by Cloudflare, which noted most attacks as short 1-5 Tbps bursts to dodge detection. Infecting over 2 million devices via IoT vulnerabilities and unpatched systems, Aisuru exploits for hyper-volumetric disruptions capable of crippling global infrastructure.
This aligns with broader botnet trends, including Google’s disruption of the IPIDEA residential proxy network, which enrolled user devices for masking cyber attacks, reducing its pool by millions through domain seizures.
Such botnets underscore evolving threats, demanding advanced defenses. Organizations should adopt automated traffic scrubbing, zero-trust models, and regular patching. Monitoring for unusual network activity and educating on bandwidth-sharing scams can prevent enrollment in these networks.