ACCORDING to Darktrace, a compromised eScan software update in January 2026 triggered a supply chain attack that deployed multi‑stage loader malware and used blockchain‑based domains for C2 communications. The incident involved a two‑hour window on January 20 during which affected Windows devices downloaded malicious .dlz packages from eScan update servers, with all impacted Darktrace customers’ environments located in the Europe, Middle East and Africa region.
Darktrace observed connections to a C2 endpoint, vhs.delrosal[.]net, and noted the use of a self‑signed SSL certificate and a multi‑distributed C2 infrastructure that leveraged Solana blockchain domains such as blackice.sol-domain[.]org for C2 activity. The analysis also highlights exposure to additional blockchain‑related endpoints and the earliest Solana‑based transaction records dated 7 November 2025, coinciding with the creation of the C2 endpoint.
The attackers’ activity included dead‑drop proxy use via the Handshake service and attempts to direct devices toward the malicious endpoint through various transaction strings. Darktrace notes that the attack chain was detected and that Autonomous Response could block beaconing connections to the malicious endpoints.