MicroWorld Applied sciences, the maker of the eScan antivirus product, has confirmed that one among its replace servers was breached and used to distribute an unauthorized replace later analyzed as malicious to a small subset of consumers earlier this month.
The file was delivered to prospects who downloaded updates from the regional replace cluster throughout a two-hour window on January 20, 2026.
eScan says the affected infrastructure has since been remoted and rebuilt, authentication credentials have been rotated, and remediation has been made accessible to impacted prospects.
Safety agency Morphisec individually revealed a technical report analyzing malicious exercise noticed on buyer endpoints, which it associates with updates delivered from eScan’s replace infrastructure throughout the identical timeframe.
Morphisec states that it detected malicious exercise on January 20, 2026, and later contacted eScan. MicroWorld Applied sciences advised BleepingComputer it disputes Morphisec’s claims that it was the primary to find or report the incident.
In keeping with eScan, the corporate detected the difficulty internally on January 20 via monitoring and buyer stories, remoted the affected infrastructure inside hours, and issued a safety advisory on January 21. eScan says Morphisec contacted the corporate later, after publishing public claims in regards to the incident.
eScan additionally disputes claims that affected prospects had been unaware of the difficulty, stating that it carried out proactive notifications and direct outreach to impacted prospects whereas remediation was being finalized.
Replace infrastructure breached
In its advisory, eScan categorized the incident as an replace infrastructure entry incident, stating that unauthorized entry to a regional replace server configuration allowed an unauthorized file to be positioned within the replace distribution path.
“Unauthorized entry to one among our regional replace server configurations resulted in an incorrect file (patch configuration binary/corrupt replace) being positioned within the replace distribution path,” reads an advisory shared with BleepingComputer by MicroWorld Applied sciences.
“This file was distributed to prospects downloading updates from the affected server cluster throughout a restricted timeframe on January 20, 2026.”
The corporate emphasised that the incident didn’t contain a vulnerability within the eScan product itself.
eScan harassed that solely these whose software program was up to date from the precise regional cluster had been impacted, whereas all different prospects remained unaffected.
Nonetheless, eScan says that those that put in the malicious replace might have seen this conduct on their methods:
- Replace service failure notifications
- Modified system hosts file stopping connection to eScan replace servers
- eScan replace configuration file modifications
- Incapability to obtain new safety definition updates
- Replace unavailability popup on shopper machines
BleepingComputer contacted eScan with additional questions on when its methods had been initially breached and can replace the story if we obtain a reply again.
Replace deployed to push malware
Morphisec’s safety bulletin says that the malicious replace pushed down a modified model of an eScan replace part, “Reload.exe”.
“Malicious updates had been distributed via eScan’s legit replace infrastructure, ensuing within the deployment of multi-stage malware to enterprise and client endpoints globally,” reads Morphisec’s bulletin.
Whereas the modified Reload.exe is signed with what seems to be eScan’s code-signing certificates, each Home windows and VirusTotal present the signature as invalid.
In keeping with Morphisec, the Reload.exe file [VirusTotal] was used to allow persistence, execute instructions, modify the Home windows HOSTS file to forestall distant updates, and hook up with the C2 infrastructure to obtain additional payloads.
The researchers say the next command and management servers had been noticed:
hxxps[://]vhs[.]delrosal[.]web/i
hxxps[://]tumama[.]hns[.]to
hxxps[://]blackice[.]sol-domain[.]org
hxxps[://]codegiant[.]io/dd/dd/dd[.]git/obtain/essential/middleware[.]ts
504e1a42.host.njalla[.]web
185.241.208[.]115
The ultimate payload seen deployed was a file named CONSCTLX.exe [VirusTotal], which Morphisec acts as a backdoor and a persistent downloader. Morphisec says that the malicious information created scheduled duties for persistence utilizing names like “CorelDefrag”.
eScan has created a remediation replace that prospects can run to carry out the next actions:
- Robotically identifies and corrects incorrect modifications
- Re-enables correct eScan replace performance
- Verifies profitable restoration
- Requires normal system restart
Each eScan and Morphisec suggest that prospects block the above command and management servers for extra safety.
In 2024, North Korean hackers had been noticed exploiting the updating mechanism of eScan antivirus to plant backdoors on company networks.
As MCP (Mannequin Context Protocol) turns into the usual for connecting LLMs to instruments and knowledge, safety groups are shifting quick to maintain these new providers protected.
This free cheat sheet outlines 7 finest practices you can begin utilizing at present.
