The replace infrastructure for eScan antivirus, a safety resolution developed by Indian cybersecurity firm MicroWorld Applied sciences, has been compromised by unknown attackers to ship a persistent downloader to enterprise and client methods.
“Malicious updates had been distributed by eScan’s respectable replace infrastructure, ensuing within the deployment of multi-stage malware to enterprise and client endpoints globally,” Morphisec researcher Michael Gorelik stated.
MicroWorld Applied sciences has revealed that it detected unauthorized entry to its infrastructure and instantly remoted the impacted replace servers, which remained offline for over eight hours. It has additionally launched a patch that reverts the modifications launched as a part of the malicious replace. Impacted organizations are beneficial to contact MicroWorld Applied sciences to acquire the repair.
It additionally pinned the assault as ensuing from unauthorized entry to considered one of its regional replace server configurations, which enabled the menace actors to distribute a “corrupt” replace to prospects throughout a “restricted timeframe” of about two hours on January 20, 2026.
“eScan skilled a short lived replace service disruption beginning January 20, 2026, affecting a subset of shoppers whose methods robotically obtain updates throughout a selected timeframe, from a selected replace cluster,” the corporate stated in an advisory issued on January 22, 2026.
“The difficulty resulted from unauthorized entry to the regional replace server infrastructure. The incident has been recognized and resolved. Complete remediation is out there that addresses all noticed situations.”
Morphisec, which recognized the incident on January 20, 2026, stated the malicious payload interferes with the common performance of the product, successfully stopping automated remediation. This particularly entails delivering a malicious “Reload.exe” file that is designed to drop a downloader, which accommodates performance to ascertain persistence, block distant updates, and get in touch with an exterior server to fetch extra payloads, together with “CONSCTLX.exe.”
In line with particulars shared by Kaspersky, “Reload.exe” – a respectable file situated in “C:Program Recordsdata (x86)escanreload.exe” – is changed with a rogue counterpart that may stop additional antivirus product updates by modifying the HOSTS file. It is signed with a pretend, invalid digital signature.
“When began, this reload.exe file checks whether or not it’s launched from the Program Recordsdata folder, and exits if not,” the Russian cybersecurity firm stated. “This executable is predicated on the UnmanagedPowerShell instrument, which permits executing PowerShell code in any course of. Attackers have modified the supply code of this challenge by including an AMSI bypass functionality to it, and used it to execute a malicious PowerShell script contained in the reload.exe course of.”
The first duty of the binary is to launch three Base64-encoded PowerShell payloads, that are designed to –
- Tamper with the put in eScan resolution to stop it from receiving updates and detecting the put in malicious parts
- Bypass Home windows Antimalware Scan Interface (AMSI)
- Examine whether or not the sufferer machine needs to be additional contaminated, and if sure, ship a PowerShell-based payload to it
The sufferer validation step examines the record of put in software program, working processes, and companies towards a hard-coded blocklist that features evaluation instruments and safety options, together with these from Kaspersky. If they’re detected, no additional payloads are delivered.
The PowerShell payload, as soon as executed, contacts an exterior server to obtain two payloads in return: “CONSCTLX.exe” and a second PowerShell-based malware that is launched via a scheduled activity. It is value noting that the primary of the three aforementioned PowerShell scripts additionally replaces the “C:Program Recordsdata (x86)eScanCONSCTLX.exe” part with the malicious file.
“CONSCTLX.exe” works by launching the PowerShell-based malware, alongside altering the final replace time of the eScan product to the present time by writing the present date to the “C:Program Recordsdata (x86)eScanEupdate.ini” file in order to offer the impression that the instrument is working as anticipated.
The PowerShell malware, for its half, performs the identical validation procedures as earlier than and sends an HTTP request to the attacker-controlled infrastructure to obtain extra PowerShell payloads from the server for subsequent execution.
The eScan bulletin doesn’t say which regional replace server was affected, however Kaspersky’s evaluation of telemetry information has revealed “tons of of machines belonging to each people and organizations” that encountered an infection makes an attempt with payloads associated to the provision chain assault. These machines are primarily situated in India, Bangladesh, Sri Lanka, and the Philippines.
The safety outfit additionally famous that the attackers needed to have studied the internals of eScan intimately to know how its replace mechanism labored and the way it might be tampered with to distribute malicious updates. It is presently not identified how the menace actors managed to safe entry to the replace server.
“Notably, it’s fairly distinctive to see malware being deployed by a safety resolution replace,” it stated. “Provide chain assaults are a uncommon prevalence normally, not to mention those orchestrated by antivirus merchandise.”
