eScan Antivirus Update Servers Breached to Distribute Multi-Stage Malware
In a significant cybersecurity incident, the update servers of eScan antivirus, developed by Indian firm MicroWorld Technologies, were infiltrated by unidentified attackers. This breach led to the dissemination of a persistent downloader across both enterprise and consumer systems worldwide.
Michael Gorelik, a researcher at Morphisec, highlighted that malicious updates were propagated through eScan’s legitimate update infrastructure. This resulted in the deployment of multi-stage malware to endpoints globally.
Upon detecting unauthorized access to its infrastructure, MicroWorld Technologies promptly isolated the affected update servers, which remained offline for over eight hours. The company has since released a patch to reverse the changes introduced by the malicious update. Organizations impacted by this breach are advised to contact MicroWorld Technologies to obtain the necessary fix.
The attack was traced back to unauthorized access to a regional update server configuration. This access allowed threat actors to distribute a compromised update to customers during a limited timeframe of approximately two hours on January 20, 2026.
In an advisory issued on January 22, 2026, eScan detailed the incident, noting that the temporary update service disruption began on January 20, 2026. This disruption affected a subset of customers whose systems automatically downloaded updates during a specific timeframe from a particular update cluster. The company confirmed that the issue resulted from unauthorized access to the regional update server infrastructure and assured that the incident has been identified and resolved. Comprehensive remediation is available to address all observed scenarios.
Morphisec, which identified the incident on January 20, 2026, reported that the malicious payload interfered with the regular functionality of the product, effectively preventing automatic remediation. Specifically, a malicious Reload.exe file was delivered, designed to drop a downloader with functionalities to establish persistence, block remote updates, and contact an external server to fetch additional payloads, including CONSCTLX.exe.
Kaspersky’s analysis revealed that the legitimate Reload.exe file located in C:\Program Files (x86)\escan\reload.exe was replaced with a rogue counterpart. This malicious file prevented further antivirus product updates by modifying the HOSTS file and was signed with a fake, invalid digital signature.
Upon execution, the rogue reload.exe checks if it is launched from the Program Files folder and exits if not. This executable is based on the UnmanagedPowerShell tool, allowing the execution of PowerShell code in any process. Attackers modified the source code of this project by adding an AMSI bypass capability and used it to execute a malicious PowerShell script within the reload.exe process.
The primary function of the binary is to launch three Base64-encoded PowerShell payloads designed to:
– Tamper with the installed eScan solution to prevent it from receiving updates and detecting the installed malicious components.
– Bypass Windows Antimalware Scan Interface (AMSI).
– Determine whether the victim machine should be further infected and, if so, deliver a PowerShell-based payload.
The victim validation step examines the list of installed software, running processes, and services against a hard-coded blocklist that includes analysis tools and security solutions, such as those from Kaspersky. If any are detected, no further payloads are delivered.
Once executed, the PowerShell payload contacts an external server to receive two payloads: CONSCTLX.exe and a second PowerShell-based malware launched via a scheduled task. Notably, the first of the three PowerShell scripts also replaces the C:\Program Files (x86)\eScan\CONSCTLX.exe component with the malicious file.
CONSCTLX.exe operates by launching the PowerShell-based malware and altering the last update time of the eScan product to the current time by writing the current date to the C:\Program Files (x86)\eScan\Eupdate.ini file. This gives the impression that the tool is functioning as expected.
The PowerShell malware performs the same validation procedures as before and sends an HTTP request to the attacker-controlled infrastructure to receive more PowerShell payloads from the server for subsequent execution.
While eScan’s bulletin does not specify which regional update server was affected, Kaspersky’s analysis of telemetry data revealed hundreds of machines belonging to both individuals and organizations that encountered infection attempts related to the supply chain attack. These machines are primarily located in India, Bangladesh, Sri Lanka, and the Philippines.
The security firm also noted that the attackers had to have studied the internals of eScan in detail to understand how its update mechanism worked and how it could be manipulated to distribute malicious updates. It remains unclear how the threat actors managed to gain access to the update server.
Notably, it is quite unique to see malware being deployed through a security solution update. Supply chain attacks are a rare occurrence in general, let alone those orchestrated through antivirus products.
