The replace infrastructure for eScan antivirus, a safety resolution developed by Indian cybersecurity firm MicroWorld Applied sciences, has been compromised by unknown attackers to ship a persistent downloader to enterprise and shopper programs.
“Malicious updates have been distributed by way of eScan’s professional replace infrastructure, ensuing within the deployment of multi-stage malware to enterprise and shopper endpoints globally,” Morphisec researcher Michael Gorelik stated.
MicroWorld Applied sciences has revealed that it detected unauthorized entry to its infrastructure and instantly remoted the impacted replace servers, which remained offline for over eight hours. It has additionally launched a patch that reverts the modifications launched as a part of the malicious replace. Impacted organizations are advisable to contact MicroWorld Applied sciences to acquire the repair.
It additionally pinned the assault as ensuing from unauthorized entry to one among its regional replace server configurations, which enabled the menace actors to distribute a “corrupt” replace to prospects throughout a “restricted timeframe” of about two hours on January 20, 2026.
“eScan skilled a short lived replace service disruption beginning January 20, 2026, affecting a subset of consumers whose programs mechanically obtain updates throughout a selected timeframe, from a selected replace cluster,” the corporate stated in an advisory issued on January 22, 2026.
“The difficulty resulted from unauthorized entry to the regional replace server infrastructure. The incident has been recognized and resolved. Complete remediation is obtainable that addresses all noticed eventualities.”
Morphisec, which recognized the incident on January 20, 2026, stated the malicious payload interferes with the common performance of the product, successfully stopping computerized remediation. This particularly entails delivering a malicious “Reload.exe” file that is designed to drop a downloader, which accommodates performance to determine persistence, block distant updates, and phone an exterior server to fetch extra payloads, together with “CONSCTLX.exe.”
In accordance with particulars shared by Kaspersky, “Reload.exe” – a professional file situated in “C:Program Information (x86)escanreload.exe” – is changed with a rogue counterpart that may forestall additional antivirus product updates by modifying the HOSTS file. It is signed with a pretend, invalid digital signature.
“When began, this reload.exe file checks whether or not it’s launched from the Program Information folder, and exits if not,” the Russian cybersecurity firm stated. “This executable is predicated on the UnmanagedPowerShell device, which permits executing PowerShell code in any course of. Attackers have modified the supply code of this undertaking by including an AMSI bypass functionality to it, and used it to execute a malicious PowerShell script contained in the reload.exe course of.”
The first accountability of the binary is to launch three Base64-encoded PowerShell payloads, that are designed to –
Tamper with the put in eScan resolution to stop it from receiving updates and detecting the put in malicious elements
Bypass Home windows Antimalware Scan Interface (AMSI)
Test whether or not the sufferer machine needs to be additional contaminated, and if sure, ship a PowerShell-based payload to it
The sufferer validation step examines the record of put in software program, working processes, and providers in opposition to a hard-coded blocklist that features evaluation instruments and safety options, together with these from Kaspersky. If they’re detected, no additional payloads are delivered.
The PowerShell payload, as soon as executed, contacts an exterior server to obtain two payloads in return: “CONSCTLX.exe” and a second PowerShell-based malware that is launched by way of a scheduled activity. It is price noting that the primary of the three aforementioned PowerShell scripts additionally replaces the “C:Program Information (x86)eScanCONSCTLX.exe” element with the malicious file.
“CONSCTLX.exe” works by launching the PowerShell-based malware, alongside altering the final replace time of the eScan product to the present time by writing the present date to the “C:Program Information (x86)eScanEupdate.ini” file in order to present the impression that the device is working as anticipated.
The PowerShell malware, for its half, performs the identical validation procedures as earlier than and sends an HTTP request to the attacker-controlled infrastructure to obtain extra PowerShell payloads from the server for subsequent execution.
The eScan bulletin doesn’t say which regional replace server was affected, however Kaspersky’s evaluation of telemetry information has revealed “a whole lot of machines belonging to each people and organizations” that encountered an infection makes an attempt with payloads associated to the availability chain assault. These machines are primarily situated in India, Bangladesh, Sri Lanka, and the Philippines.
The safety outfit additionally famous that the attackers needed to have studied the internals of eScan intimately to grasp how its replace mechanism labored and the way it may very well be tampered with to distribute malicious updates. It is at the moment not recognized how the menace actors managed to safe entry to the replace server.
“Notably, it’s fairly distinctive to see malware being deployed by way of a safety resolution replace,” it stated. “Provide chain assaults are a uncommon prevalence basically, not to mention those orchestrated by way of antivirus merchandise.”
