A vital provide chain compromise affecting MicroWorld Applied sciences’ eScan antivirus product, whereby menace actors efficiently hijacked the seller’s official replace infrastructure to distribute malware.
Found on January 20, 2026, by Morphisec, the assault utilized a trojanized replace package deal to deploy multi-stage malware throughout enterprise and client endpoints globally.
The incident renders the antivirus software program ineffective and particularly tampers with system configurations to forestall automated remediation.
Trojanized Replace Mechanism and Assault Chain
The compromise was initiated by a malicious replace pushed instantly through eScan’s official channels. The assault chain begins with “Stage 1,” the place a trojanized element replaces the official Reload.exe (32-bit) binary.
Morphisec noticed that the malicious executable is digitally signed with a sound certificates belonging to “eScan (Microworld Applied sciences Inc.),” permitting it to bypass normal belief verifications.
As soon as executed, this payload drops a “Stage 3” downloader recognized as CONSCTLX.exe. Following the preliminary breach, a “Stage 2” downloader establishes persistence and executes protection evasion maneuvers.
This stage is especially aggressive, using PowerShell execution and tampering with the Home windows Registry to disable safety features.
The malware connects to Command and Management (C2) infrastructure to retrieve extra payloads, successfully turning the safety device right into a gateway for additional compromise.
A defining attribute of this marketing campaign is its concentrate on “anti-remediation.” The malware actively modifies the contaminated system’s hosts file to dam communication with eScan’s replace servers.
Moreover, it alters particular eScan registry keys and configuration recordsdata to interrupt the antivirus’s replace mechanism completely.
Consequently, contaminated programs can not obtain automated patches or definitions, leaving them susceptible even after the seller restores their infrastructure.
Persistence is achieved by the creation of misleading Scheduled Duties positioned in C:WindowsDefrag. The malware generates duties utilizing a naming sample that mimics official system processes, resembling WindowsDefragCorelDefrag.
Moreover, registry persistence is established beneath HKLMSoftware utilizing randomly generated GUID keys containing encoded PowerShell payloads.
Indicators of Compromise (IOCs)
Organizations using eScan antivirus are urged to scan their environments instantly for the next indicators.
Word that automated remediation will not be attainable; the presence of those recordsdata signifies a compromise requiring handbook intervention.
Part DescriptionFilenameSHA-256 HashStage 1 Payload (Trojanized Replace)Reload[.]exe (32-bit)36ef2ec9ada035c56644f677dab65946798575e1d8b14f1365f22d7c68269860Stage 3 DownloaderCONSCTLX[.]exe (64-bit)bec369597633eac7cc27a698288e4ae8d12bdd9b01946e73a28e1423b17252b1Related SampleN/A674943387cc7e0fd18d0d6278e6e4f7a0f3059ee6ef94e0976fae6954ffd40ddRelated SampleN/A386a16926aff225abc31f73e8e040ac0c53fb093e7daf3fbd6903c157d88958c
Community Indicators and C2 Infrastructure
Community directors ought to block egress site visitors to the next domains, which have been recognized as a part of the attacker’s command and management infrastructure.
Area / IPContexthxxps[://]vhs[.]delrosal[.]web/iC2 Infrastructurehxxps[://]tumama[.]hns[.]toC2 Infrastructurehxxps[://]blackice[.]sol-domain[.]orgC2 Infrastructure504e1a42.host.njalla.netMalicious Host185.241.208[.]115Malicious IP
As a result of the malware successfully breaks the replace mechanism of the antivirus software program, automated updates will fail on compromised machines.
eScan has reportedly taken the worldwide replace system offline for over eight hours to isolate the infrastructure, however this doesn’t clear already contaminated endpoints.
Directors should assume compromise for programs operating eScan that have been energetic on or after January 20, 2026.
Speedy steps embrace verifying the hosts file for entries blocking eScan domains and inspecting the registry for suspicious GUID keys containing byte array information.
Affected organizations should contact MicroWorld Applied sciences (eScan) on to acquire a specialised handbook patch designed to revert the configuration modifications and restore the updater’s performance.
Observe us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
