The update infrastructure for eScan antivirus, a security solution developed by Indian cybersecurity company MicroWorld Technologies, was compromised by an unknown attacker and a persistent downloader was distributed to business and consumer systems.
“The malicious update was distributed through eScan’s legitimate update infrastructure, resulting in multi-stage malware being deployed to business and consumer endpoints around the world,” said Morphisec researcher Michael Gorelik.
MicroWorld Technologies said it detected unauthorized access to its infrastructure and immediately isolated the affected update servers, which were taken offline for more than eight hours. We have also released a patch that reverts the changes introduced as part of the malicious update. Affected organizations are encouraged to contact MicroWorld Technologies to obtain the fix.
It also determined that the attack was due to unauthorized access to one of the regional update server configurations, which allowed the attackers to distribute “corrupted” updates to customers within a “limited time frame” of approximately two hours on January 20, 2026.
“eScan experienced a temporary interruption in update service beginning January 20, 2026, impacting some customers whose systems automatically download updates from certain update clusters during certain periods,” the company said in an advisory issued on January 22, 2026.
“This issue was caused by unauthorized access to the regional update server infrastructure. The incident has been identified and resolved. Comprehensive remediation is available to address all observed scenarios.”
Morphisec, which identified the incident on January 20, 2026, said the malicious payload disrupted the product’s normal functionality, effectively preventing automatic remediation. This specifically involves the delivery of a malicious “Reload.exe” file designed to drop downloaders. This file contains functionality to establish persistence, block remote updates, and connect to external servers to retrieve additional payloads such as “CONSCTLX.exe”.
According to the details shared by Kaspersky, the legitimate file ‘Reload.exe’ located in ‘C:\Program Files (x86)\escan\reload.exe’ is replaced by a malicious file that can prevent further updates of antivirus products by modifying the HOSTS file. Signed with a fake and invalid digital signature.
“On startup, this reload.exe file checks whether it was launched from the Program Files folder and exits if not,” the Russian cybersecurity firm said. “This executable is based on the UnmanagedPowerShell tool, which can execute PowerShell code in arbitrary processes. The attacker modified the source code of this project by adding AMSI bypass functionality and used it to run a malicious PowerShell script within the reload.exe process.”
The main role of the binary is to launch three Base64-encoded PowerShell payloads.
Tamper with the installed eScan solution to prevent it from receiving updates or detecting installed malicious components. Bypass the Windows Anti-Malware Scanning Interface (AMSI). It checks if the victim’s machine needs to be further infected, and if so, it delivers a PowerShell-based payload to that machine.
The victim verification step examines a list of installed software, running processes, and services against hard-coded blocklists, including analysis tools and security solutions such as Kaspersky. If they are detected, no further payloads will be delivered.
Once executed, the PowerShell payload connects to an external server and returns two payloads: “CONSCTLX.exe” and a second PowerShell-based malware that is launched by a scheduled task. Note that the first of the three PowerShell scripts mentioned above also replaces the “C:\Program Files (x86)\eScan\CONSCTLX.exe” component with the malicious file.
“CONSCTLX.exe” works by launching a PowerShell-based malware and simultaneously changing the eScan product’s last updated time to the current time by writing the current date to the “C:\Program Files (x86)\eScan\Eupdate.ini” file, giving the impression that the tool is working as expected.
The PowerShell malware performs the same validation steps as before, sending an HTTP request to attacker-controlled infrastructure and receiving further PowerShell payloads from the server for further execution.
Although eScan’s bulletin did not specify which regional update servers were affected, analysis of telemetry data by Kaspersky Lab revealed “hundreds of machines belonging to both individuals and organizations” that encountered infection attempts with payloads related to supply chain attacks. These machines are mainly installed in India, Bangladesh, Sri Lanka and the Philippines.
The security organization also noted that attackers would need to take a closer look inside eScan to understand how eScan’s update mechanism works and how it could be tampered with to distribute malicious updates. At this time, it is unclear how the attackers secured access to the update servers.
“In particular, it is highly unusual for malware to be introduced through updates to security solutions,” the company said. “Supply chain attacks are rare in general, much less orchestrated through antivirus products.”
Source link
