North Korean hackers have compromised eScan antivirus software updates delivered via HTTP to install GuptiMiner malware.

The sophisticated attack used DLL hijacking, custom DNS, and IP masking, focusing on Windows 7 and Server 2008 systems.

GuptiMiner's installation also included a cryptocurrency miner, possibly as a distraction from the primary malware activities.

Security researchers suggest ties between the GuptiMiner malware and the North Korean APT group Kimsuki.

eScan has patched the update vulnerability and improved its security, though GuptiMiner infections persist, suggesting some systems remain unpatched.

Avast has published a GitHub page listing indicators of compromise, and users are advised to scan their systems for infections.