Summary5 min read

Risky Bulletin: eScan Antivirus Distributes Backdoor in Latest Supply Chain Attack

Podcast: Risky Bulletin | Host: risky.biz
Date: January 29, 2026

Episode Overview

This episode delivers the latest cybersecurity news round-up. The central focus is a significant supply chain attack involving eScan Antivirus, with other major stories encompassing data breaches, GDPR enforcement challenges, legal actions against cybercriminals, government interventions, and developments in the cyber threat landscape.

Key Discussion Points & Insights

1. eScan Antivirus Supply Chain Attack (00:10 – 01:10)

Incident summary:
- Hackers breached the update mechanism of eScan Antivirus.
- The attack targeted a single regional update server for about one hour on January 20, 2026.
- Distributed malware was a backdoor that prevented future updates and contacted a remote command-and-control server.
- Quote (A/Amberly Jack):
  - “[The] payload was a backdoor that disabled future eScan updates and contacted a remote command and control server.” (00:38)

2. Preemptive US Cyber Command Actions on Disinformation Farms (01:10 – 01:36)

US Cyber Command Operations:
- Hacked Russian and Iranian troll farms ahead of the 2024 US elections.
- Actions are notable as the Trump administration had previously shut down many counter-disinformation programs.
- Quote:
  - “US cyber Command hacked foreign disinformation farms ahead of the country's 2024 elections.” (01:11)

3. Russian Data Wiper Attack on Poland's Energy Sector (01:36 – 02:27)

30 energy locations hit with a data wiper attack targeting Remote Terminal Units (RTUs).
Devices rendered unrecoverable, but the attack did not crash the grid.
Included heat/power plants and renewable management sites.
Quote:
- “[The] attack rendered the units beyond repair but did not crash the energy grid.” (01:57)

4. GDPR Fines Largely Uncollected in Ireland (02:27 – 02:54)

Ireland’s Data Protection Agency collected only 0.5% of all GDPR fines (~€20 million out of €4 billion issued).
Issues arise as most tech companies are Ireland-based and many fines are stuck in appeals.
Quote:
- “Most of the fines are stuck in the appeals process.” (02:48)

5. New Apple Privacy Settings (02:54 – 03:18)

Apple introduces a feature to obscure users’ precise location from mobile/cell providers.
Available in iOS 26.3+; only general area shown to telcos.
Quote:
- “The feature will allow users to hide their precise locations from their mobile and cell providers.” (02:59)

6. Google Legal Settlements (03:18 – 03:44)

Google agrees to pay two class action settlements:
- $135 million for collecting user location data without consent.
- $68 million related to unauthorized voice assistant recordings.
Noteworthy: Both settlements occurred in the same week.

7. South Korea’s Data Breach Notification Policy (03:44 – 04:09)

New government framework requires citizen notification for both confirmed and suspected security breaches.
Policy change in response to a string of high-profile breaches.

8. EU Cybersecurity Investment Criticism (04:09 – 04:35)

ENISA chief Juhan Lepassaar says EU’s cyber investments are insufficient.
Most European startups rely on American cyber intelligence (CISA, MITRE).
Quote:
- “Recent investments in the bloc's security have failed to adequately address cyber.” (04:24)

9. Crackdown on Chinese Cyberscam Compounds (04:35 – 05:01)

Chinese authorities executed 11 members of the Ming crime family for operating scam compounds in Myanmar.
Five Bai family members are currently awaiting execution.
Notable moment:
- “The suspects were executed following failed appeals.” (04:46)

10. FBI Seizes Ramp Cybercrime Forum (05:01 – 05:24)

Major ransomware forum taken offline by FBI.
RAMP admin confirmed the takedown on another cybercrime forum.

11. Google Disrupts IP Idea Proxy Botnet (05:24 – 05:51)

Google shut down domains linked to IP Idea, a residential proxy botnet abused for cyberattacks.
Plans to block Android apps using their SDKs.
Quote:
- “The company says the botnet had been used to hide the activities of multiple threat actors.” (05:35)

12. Empire Underground Drug Market Guilty Plea (05:51 – 06:09)

Co-founder Raheem Hamilton pled guilty to US federal drug charges.
Market sold over $375 million of drugs until 2020.

13. Crypto Scam Money Laundering Conviction (06:09 – 06:36)

Xing Liang Su, a Chinese national, sentenced to 46 months for laundering $37 million of Cambodia scam proceeds.
Chinese services now responsible for 20% of global on-chain crypto laundering—up massively since 2020.
Quote:
- “Chinese operators laundered more than $82 billion last year, up from just $10 billion in 2020.” (06:25)

14. LLM Server Abuse and Resale (06:36 – 06:54)

Hackers scanning for misconfigured large-language model (LLM) servers (e.g., Ollama, vLLM) and selling compute access.
Campaign traced to threat actor “Hekka.”

15. North Korean Labyrinth Kolyma Group Splits (06:54 – 07:17)

CrowdStrike reports the group has split into three:
- Core team continues cyber espionage.
- “Golden” and “Pressure Kalima” branches now target crypto assets.

Notable Quotes and Memorable Moments

eScan attack insight:
- “The payload was a backdoor that disabled future E Scan updates and contacted a remote command and control server.” — Amberly Jack (00:38)
Polish energy attack impact:
- “The attack rendered the units beyond repair but did not crash the energy grid.” (01:57)
On GDPR enforcement woes:
- “Most of the fines are stuck in the appeals process.” (02:48)
ENISA chief’s cyber investment critique:
- "Recent investments in the bloc's security have failed to adequately address cyber.” (04:24)
Crypto laundering growth:
- “Chinese operators laundered more than $82 billion last year, up from just $10 billion in 2020.” (06:25)
Law enforcement action against cybercrime:
- “Chinese authorities executed 11 members of the Ming crime family for operating scam compounds in Myanmar.” (04:46)

Timestamps for Important Segments

| Segment | Timestamp | |---------------------------------------|---------------| | eScan Antivirus Supply Chain Attack | 00:10–01:10 | | US Cyber Command v. Disinformation | 01:10–01:36 | | Poland Energy Sector Wiper Attack | 01:36–02:27 | | Irish GDPR Fines Left Uncollected | 02:27–02:54 | | Apple New Privacy Feature | 02:54–03:18 | | Google Class Action Payouts | 03:18–03:44 | | South Korea Data Breach Rule | 03:44–04:09 | | EU Cybersecurity Investment | 04:09–04:35 | | Chinese Scam Operators Executed | 04:35–05:01 | | FBI Seizes Ramp Forum | 05:01–05:24 | | Google Disrupts Proxy Botnet | 05:24–05:51 | | Empire Market Drug Charges | 05:51–06:09 | | Crypto Scam Laundering Conviction | 06:09–06:36 | | LLM Server Hacking Campaign | 06:36–06:54 | | Labyrinth Kolyma Splits | 06:54–07:17 |

Tone and Style

Amberly Jack delivers the news in a concise, direct tone with clarity and attention to key facts—a hallmark of the Risky Business team's straightforward reporting.

This episode provides a comprehensive snapshot of major ongoing cyber threats, global law enforcement actions, and regulatory challenges, grounding each headline in broader context and impact.

Loading summary

Transcript1 lines

[00:04]
A
Hackers breach E Scan antivirus and distributor backdoor Google takes down the IP Idea proxy botnet Most GDPR fines remain uncollected and the Poland wiper attack hit 30 locations this is the risky bulletin prepared by Catalyn Campanu and read by me, Amberly Jack. Today is January 30th and this podcast episode is brought to you by Push Security. In today's top story, the update mechanism of E Scan Antivirus has been used to deliver malware. E Scan says the incident affected just one regional update server. It occurred on January 20th and lasted about an hour. The payload was a backdoor that disabled future E Scan updates and contacted a remote command and control server. U.S. cyber Command hacked foreign disinformation farms ahead of the country's 2024 elections. According to CN, the campaign targeted Russian and Iranian troll farms. Since President Donald Trump took office, his administration has shut down many government programs meant to fight foreign disinformation. The Russian data wiper attack against Poland's energy sector impacted 30 locations. The attack targeted remote terminal units, which are used to monitor energy infrastructure. According to industrial security firm Dragos, the attack rendered the units beyond repair but did not crash the energy grid. The impacted sites include heat and power plants, as well as facilities that manage renewable wind and solar generation. Ireland's Data Protection Agency has collected just 0.5% of all GDPR fines issued. Many foreign tech companies operating in the EU are based in Ireland. 20 million euros has been collected since the GDPR entered into effect in 2016. The total fines issued amount to more than 4 billion euros. The agency says most of the fines are stuck in the appeals process. Apple is rolling out a new privacy setting for iPhones and iPads. The feature will allow users to hide their precise locations from their mobile and cell providers. Once enabled, telcos will only be able to determine a user's general area. The feature will be available for devices running iOS 26.3 or later. Google has agreed to pay $135 million to settle a class action lawsuit. The company was accused of collecting location data without users consent. This is the second class action lawsuit Google has settled this week. It also agreed to pay $68 million for recording users via its voice assistant. The South Korean government will notify citizens when their data is exposed in a security breach. The new system will cover confirmed breaches as well as those under investigation. The changes are part of a new government cybersecurity framework created in response to multiple high profile breaches. Last year, the head of EU's cybersecurity agency says Europe is not investing enough in the sector. ANEESA head Johan Lepassar says recent investments in the bloc's security have failed to adequately address cyber. Lepassar says most EU startups currently rely on cybersecurity data from American organisations like CISA and Mitre. The Chinese government has carried out the death sentences of 11 individuals who ran cyberscam compounds in Myanmar. The suspects were executed following failed appeals. All were members of the Ming crime family and were originally sentenced in October. Five further scam compound operators linked to the Bai family are currently awaiting execution. The FBI has seized the Ramp cybercrime forum. One of RAMP's admins confirmed the takedown in a post on arrival forum. The the site was routinely used to advertise and recruit for ransomware operations. Google has disrupted domains linked to the IP Idea residential proxy botnet. The company says the botnet had been used to hide the activities of multiple threat actors. The IP Idea group operated multiple software development kits, which allowed users to share their Internet bandwidth, but those services were often abused to relay malicious traffic. Google will also start blocking Android apps that use the SDKs. A co founder and administrator of the Empire Underground market has pleaded guilty to federal drug charges. Raheem Hamilton ran the dark web market together with another co founder from 2018 until 2020. The market was used to sell more than $375 million worth of drugs. The other founder, Thomas Pavey, pleaded guilty earlier this month to similar charges. A Chinese national has been sentenced to 46 months in a US prison for laundering Cambodian crypto scam proceeds. Xing Liang Su was part of a network that controlled bank accounts in the bahamas that converted $37 million of stolen funds into cryptocurrency. Su and seven others pleaded guilty last year. Chinese services now account for 20% of all on chain crypto laundering operations, according to a Chainalysis report. Chinese operators laundered more than $82 billion last year, up from just $10 billion in 2020. The growth was driven by law enforcement actions targeting rival services across Southeast Asia. Hackers are scanning the Internet for misconfigured LLM servers and selling access to their computing power on specialised marketplaces. The campaign targets multiple large language model solutions such as such as Ollama and Vllm. Pillars Security has linked the attacks to a threat actor going by the name Hekka. And finally, a major North Korean hacking group known as Labyrinth. Kolyma has separated into three distinct groups. According to CrowdStrike, all three operate independently but share the same tools. The Corps of Labyrinth Kolima continues to carry out cyber espionage operations. The spin offs golden and Pressure Kalima Target the cryptocurrency ecosystem. That's all for this podcast edition. Today's show was brought to you by our sponsor, Push Security. Find them@PushSecurity.com thanks to your company.