eScan Antivirus Update Server Breach: A Deep Dive into the Supply Chain Attack
In a significant cybersecurity incident, MicroWorld Technologies’ eScan antivirus software became the target of a sophisticated supply chain attack. Discovered on January 20, 2026, by security firm Morphisec, this breach involved threat actors compromising eScan’s legitimate update infrastructure to disseminate multi-stage malware to both enterprise and consumer systems worldwide. ([cybersecuritynews.com](https://cybersecuritynews.com/escan-antivirus-update-compromise/?utm_source=openai))
Understanding the Attack Mechanism
The attackers initiated the compromise by injecting a malicious update directly through eScan’s official distribution channels. The attack unfolded in multiple stages:
1. Stage 1 – Trojanized Component Deployment: The attackers replaced the legitimate `Reload.exe` (32-bit) binary with a malicious version. Notably, this counterfeit executable was digitally signed with a valid certificate from eScan (Microworld Technologies Inc.), enabling it to bypass standard security verifications.
2. Stage 2 – Establishing Persistence and Evasion: Upon execution, the malicious payload deployed a downloader that established persistence on the infected system. This stage employed aggressive tactics, including executing PowerShell scripts and modifying Windows Registry settings to disable security features, thereby evading detection.
3. Stage 3 – Downloader Activation: The final stage involved the activation of a downloader identified as `CONSCTLX.exe`. This component connected to the attackers’ Command and Control (C2) servers to fetch additional malicious payloads, effectively transforming the antivirus software into a conduit for further system compromise.
Anti-Remediation Tactics
A distinctive aspect of this campaign was its focus on preventing remediation efforts:
– Blocking Updates: The malware altered the infected system’s `hosts` file to obstruct communication with eScan’s update servers.
– Disabling Update Mechanisms: It modified specific eScan registry keys and configuration files, effectively disabling the antivirus’s update functionality. As a result, compromised systems were unable to receive automatic patches or definition updates, leaving them vulnerable even after eScan restored its infrastructure.
Indicators of Compromise (IOCs)
Organizations utilizing eScan antivirus are urged to conduct thorough scans for the following indicators, as their presence signifies a compromise requiring manual intervention:
– Stage 1 Payload (Trojanized Update): `Reload.exe` (32-bit) with SHA-256 hash: 36ef2ec9ada035c56644f677dab65946798575e1d8b14f1365f22d7c68269860
– Stage 3 Downloader: `CONSCTLX.exe` (64-bit) with SHA-256 hash: bec369597633eac7cc27a698288e4ae8d12bdd9b01946e73a28e1423b17252b1
– Related Samples: SHA-256 hashes: 674943387cc7e0fd18d0d6278e6e4f7a0f3059ee6ef94e0976fae6954ffd40dd and 386a16926aff225abc31f73e8e040ac0c53fb093e7daf3fbd6903c157d88958c
Network Indicators and C2 Infrastructure
Network administrators should block outbound traffic to the following domains and IP addresses associated with the attackers’ C2 infrastructure:
– `hxxps://vhs.delrosal.net/i`
– `hxxps://tumama.hns.to`
– `hxxps://blackice.sol-domain.org`
– `504e1a42.host.njalla.net`
– `185.241.208.115`
Remediation and Mitigation Measures
Due to the malware’s interference with the antivirus’s update mechanism, automatic updates are non-functional on compromised machines. eScan reportedly took its global update system offline for over eight hours to isolate the issue; however, this action does not cleanse already infected endpoints.
Immediate steps for administrators include:
– Hosts File Inspection: Check the `hosts` file for entries blocking eScan domains.
– Registry Examination: Inspect the registry for suspicious GUID keys containing encoded PowerShell payloads.
Affected organizations should contact MicroWorld Technologies (eScan) directly to obtain a specialized manual patch designed to revert the configuration changes and restore the updater’s functionality.
Conclusion
This incident underscores the critical importance of securing software supply chains and the potential risks associated with trusted update mechanisms. Organizations must remain vigilant, regularly monitor for indicators of compromise, and implement robust security measures to protect against such sophisticated attacks.
