eScan Antivirus Update Servers Compromised: A Deep Dive into the Supply Chain Attack
In a significant cybersecurity incident on January 20, 2026, MicroWorld Technologies’ eScan antivirus software became the target of a sophisticated supply chain attack. Threat actors infiltrated one of eScan’s regional update servers, distributing a malicious update to users who accessed updates from this compromised server during a specific two-hour window.
Incident Overview
The breach was identified when customers reported anomalies with their eScan antivirus software. Upon investigation, it was discovered that unauthorized access to a regional update server allowed attackers to replace legitimate update files with malicious ones. This malicious update introduced a multi-stage malware named CONSCTLX, designed to establish persistent access, execute remote commands, modify system files, and download additional payloads.
Technical Analysis of the Attack
The attack unfolded in several stages:
1. Initial Compromise: Attackers gained unauthorized access to the configuration of a regional update server, enabling them to distribute a trojanized version of the `Reload.exe` binary.
2. Malicious Payload Deployment: The compromised `Reload.exe` was digitally signed with a valid certificate from eScan (Microworld Technologies Inc.), allowing it to bypass standard trust verifications. Upon execution, this payload dropped a downloader identified as `CONSCTLX.exe`.
3. Establishing Persistence: The malware employed techniques such as PowerShell execution and tampering with the Windows Registry to disable security features. It also modified the system’s `hosts` file to block communication with eScan’s update servers, preventing automatic remediation.
4. Command and Control Communication: The malware connected to attacker-controlled servers to retrieve additional payloads, effectively turning the antivirus software into a gateway for further compromise.
Vendor Response
MicroWorld Technologies acted swiftly upon detecting the breach. The affected infrastructure was isolated within an hour, and the global update system was taken offline for over eight hours to prevent further distribution of the malicious update. The compromised server was rebuilt, authentication credentials were rotated, and a remediation patch was developed. However, due to the malware’s interference with the update mechanism, some affected users had to contact MicroWorld directly to obtain and implement the patch manually.
Indicators of Compromise (IoCs)
Organizations using eScan antivirus are advised to scan their systems for the following indicators:
– Malicious Files:
– `Reload.exe` (32-bit) with SHA-256 hash: 36ef2ec9ada035c56644f677dab65946798575e1d8b14f1365f22d7c68269860
– `CONSCTLX.exe` (64-bit) with SHA-256 hash: bec369597633eac7cc27a698288e4ae8d12bdd9b01946e73a28e1423b17252b1
– Network Indicators:
– Domains such as `vhs.delrosal.net`, `tumama.hns.to`, and `blackice.sol-domain.org`
– IP address: 185.241.208.115
Mitigation Measures
Given the malware’s ability to disable the antivirus update mechanism, automatic updates may fail on compromised machines. Administrators should:
– Verify the `hosts` file for entries blocking eScan domains.
– Inspect the registry for suspicious keys containing encoded PowerShell payloads.
– Block communication with identified malicious domains and IP addresses.
– Contact MicroWorld Technologies directly to obtain a manual patch designed to restore the updater’s functionality.
Conclusion
This incident underscores the critical importance of securing software supply chains. Organizations must implement robust monitoring and response strategies to detect and mitigate such sophisticated attacks promptly.
