Avast researchers discovered a malware campaign using eScan antivirus updates to distribute backdoors and cryptocurrency miners.

North Korea-linked AP Kimsuky group targeted large corporate networks with this sophisticated attack.

Attackers performed a man-in-the-middle attack exploiting a vulnerability in eScan's update mechanism to replace updates with malware.

The main payload was XMRig, a cryptocurrency miner, alongside the deployment of an information stealer likely from Kimsuky.

The compromised eScan update mechanism vulnerability existed for five years but was fixed after Avast's report on July 31, 2023.

GuptiMiner, the campaign's malware, used its own DNS servers to communicate, avoiding traditional DNS network detection.

The multi-stage infection process involved a Gzip loader to deploy the malware's core functions, including mining and backdoor access.

The use of a cryptocurrency miner might have been a decoy to distract from more malicious activities like data theft.