The update infrastructure for eScan antivirus, a security solution developed by Indian cybersecurity company MicroWorld Technologies, has been compromised by unknown attackers to deliver a persistent downloader to enterprise and consumer systems.
"Malicious updates were distributed through eScan's legitimate update infrastructure, resulting in the deployment of multi-stage malware to enterprise and consumer endpoints globally," Morphisec researcher Michael Gorelik said.
MicroWorld Technologies has revealed that it detected unauthorized access to its infrastructure and immediately isolated the impacted update servers, which remained offline for over eight hours. It has also released a patch that reverts the changes introduced as part of the malicious update. Impacted organizations are recommended to contact MicroWorld Technologies to obtain the fix.
It also pinned the attack as resulting from unauthorized access to one of its regional update server configurations, which enabled the threat actors to distribute a "corrupt" update to customers during a "limited timeframe" of about two hours on January 20, 2026.
"eScan experienced a temporary update service disruption starting January 20, 2026, affecting a subset of customers whose systems automatically download updates during a specific timeframe, from a specific update cluster," the company said in an advisory issued on January 22, 2026.
"The issue resulted from unauthorized access to the regional update server infrastructure. The incident has been identified and resolved. Comprehensive remediation is available that addresses all observed scenarios."
Morphisec, which identified the incident on January 20, 2026, said the malicious payload interferes with the regular functionality of the product, effectively preventing automatic remediation. This specifically involves delivering a malicious "Reload.exe" file that's designed to drop a downloader, which contains functionality to establish persistence, block remote updates, and contact an external server to fetch additional payloads, including "CONSCTLX.exe."
According to details shared by Kaspersky, "Reload.exe" – a legitimate file located in "C:\Program Files (x86)\escan\reload.exe" – is replaced with a rogue counterpart that can prevent further antivirus product updates by modifying the HOSTS file. It's signed with a fake, invalid digital signature.
"When started, this reload.exe file checks whether it is launched from the Program Files folder, and exits if not," the Russian cybersecurity company said. "This executable is based on the UnmanagedPowerShell tool, which allows executing PowerShell code in any process. Attackers have modified the source code of this project by adding an AMSI bypass capability to it, and used it to execute a malicious PowerShell script inside the reload.exe process."
The primary responsibility of the binary is to launch three Base64-encoded PowerShell payloads, which are designed to -
- Tamper with the installed eScan solution to prevent it from receiving updates and detecting the installed malicious components
- Bypass Windows Antimalware Scan Interface (AMSI)
- Check whether the victim machine should be further infected, and if yes, deliver a PowerShell-based payload to it
The victim validation step examines the list of installed software, running processes, and services against a hard-coded blocklist that includes analysis tools and security solutions, including those from Kaspersky. If they are detected, no further payloads are delivered.
The PowerShell payload, once executed, contacts an external server to receive two payloads in return: "CONSCTLX.exe" and a second PowerShell-based malware that's launched by means of a scheduled task. It's worth noting that the first of the three aforementioned PowerShell scripts also replaces the "C:\Program Files (x86)\eScan\CONSCTLX.exe" component with the malicious file.
"CONSCTLX.exe" works by launching the PowerShell-based malware, alongside changing the last update time of the eScan product to the current time by writing the current date to the "C:\Program Files (x86)\eScan\Eupdate.ini" file so as to give the impression that the tool is working as expected.
The PowerShell malware, for its part, performs the same validation procedures as before and sends an HTTP request to the attacker-controlled infrastructure to receive more PowerShell payloads from the server for subsequent execution.
The eScan bulletin does not say which regional update server was affected, but Kaspersky's analysis of telemetry data has revealed "hundreds of machines belonging to both individuals and organizations" that encountered infection attempts with payloads related to the supply chain attack. These machines are mainly located in India, Bangladesh, Sri Lanka, and the Philippines.
The security outfit also noted that the attackers had to have studied the internals of eScan in detail to understand how its update mechanism worked and how it could be tampered with to distribute malicious updates. It's currently not known how the threat actors managed to secure access to the update server.
"Notably, it is quite unique to see malware being deployed through a security solution update," it said. "Supply chain attacks are a rare occurrence in general, let alone the ones orchestrated through antivirus products."
