In a concerning development for digital security, eScan antivirus, a product of Indian cybersecurity firm MicroWorld Technologies, experienced a sophisticated supply chain attack. Unknown threat actors successfully compromised the company’s update infrastructure, leveraging it to distribute multi-stage malware to both enterprise and consumer systems worldwide.
The Breach: How Attackers Infiltrated eScan’s Update Mechanism
The incident, first detected by Morphisec researcher Michael Gorelik, revealed that malicious updates were pushed through eScan’s legitimate distribution channels. MicroWorld Technologies confirmed unauthorized access to its infrastructure, leading to the immediate isolation of affected update servers for over eight hours.
Timeline of the Attack and MicroWorld’s Response
The company disclosed that the attack stemmed from unauthorized access to a regional update server configuration. This allowed threat actors to distribute a “corrupt” update to customers during a “limited timeframe” of approximately two hours on January 20, 2026. MicroWorld Technologies swiftly released a patch to revert the malicious changes and advised affected organizations to contact them for the fix. An advisory issued on January 22, 2026, acknowledged a “temporary update service disruption” affecting a subset of customers who downloaded updates from a specific cluster during the critical window.
Unpacking the Malicious Payload: A Multi-Stage Threat
Morphisec, which identified the incident on January 20, 2026, detailed the insidious nature of the malicious payload. This malware was designed to interfere with the antivirus product’s regular functionality, effectively preventing automatic remediation and further legitimate updates.
The Role of “Reload.exe” and “CONSCTLX.exe”
The attack involved replacing the legitimate “Reload.exe” file (located in “C:Program Files (x86)escanreload.exe”) with a rogue version. This malicious “Reload.exe,” signed with a fake digital signature, was built upon the UnmanagedPowerShell tool. Attackers modified its source code to include an AMSI bypass capability, allowing it to execute malicious PowerShell scripts within the “reload.exe” process.
The primary functions of this binary included:
- Tampering with the installed eScan solution to block updates and hide malicious components.
- Bypassing Windows Antimalware Scan Interface (AMSI).
Performing victim validation to determine if further infection was warranted, based on installed software, running processes, and services against a hard-coded blocklist of analysis tools and security solutions (including Kaspersky).
If validation passed, a PowerShell-based payload was delivered. This payload, once executed, contacted an external server to fetch additional components, including “CONSCTLX.exe” and another PowerShell-based malware launched via a scheduled task.
The malicious “CONSCTLX.exe” component, also replacing its legitimate counterpart, worked to launch the PowerShell malware and manipulate the eScan product’s last update time in “C:Program Files (x86)eScanEupdate.ini” to give the false impression of normal operation.
Geographical Impact and Attacker Sophistication
While eScan’s bulletin did not specify the affected regional update server, Kaspersky’s analysis of telemetry data revealed hundreds of machines, both individual and organizational, that encountered infection attempts. These systems were primarily located in India, Bangladesh, Sri Lanka, and the Philippines.
Security experts emphasize the high level of sophistication demonstrated by the attackers. Their ability to meticulously study eScan’s internal update mechanisms and exploit them points to a well-resourced and determined adversary.
Recommendations for Affected Users
MicroWorld Technologies has provided a patch to address the malicious changes. Impacted organizations and users are strongly advised to:
- Contact MicroWorld Technologies directly to obtain and apply the official fix.
- Ensure all security software is up-to-date and conduct thorough system scans.
- Review system logs for any unusual activity during the specified timeframe (January 20, 2026).
This incident serves as a stark reminder of the critical importance of supply chain security, even for products designed to protect against such threats. Vigilance and rapid response remain paramount in the evolving cybersecurity landscape.
For more details, visit our website.
Source: Link
