Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Phorpiex Phishing Delivers Low-Noise Global Group Ransomware

February 10, 2026

APT28 Uses Microsoft Office CVE-2026-21509 in Espionage-Focused Malware Attacks

February 10, 2026

“Digital Parasite” Warning as Attackers Favor Stealth for Extortion

February 10, 2026
Facebook X (Twitter) Instagram
Tuesday, February 10
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware
News

eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware

Team-CWDBy Team-CWDFebruary 8, 2026No Comments4 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


The update infrastructure for eScan antivirus, a security solution developed by Indian cybersecurity company MicroWorld Technologies, has been compromised by unknown attackers to deliver a persistent downloader to enterprise and consumer systems.

“Malicious updates were distributed through eScan’s legitimate update infrastructure, resulting in the deployment of multi-stage malware to enterprise and consumer endpoints globally,” Morphisec researcher Michael Gorelik said.

MicroWorld Technologies has revealed that it detected unauthorized access to its infrastructure and immediately isolated the impacted update servers, which remained offline for over eight hours. It has also released a patch that reverts the changes introduced as part of the malicious update. Impacted organizations are recommended to contact MicroWorld Technologies to obtain the fix.

It also pinned the attack as resulting from unauthorized access to one of its regional update server configurations, which enabled the threat actors to distribute a “corrupt” update to customers during a “limited timeframe” of about two hours on January 20, 2026.

“eScan experienced a temporary update service disruption starting January 20, 2026, affecting a subset of customers whose systems automatically download updates during a specific timeframe, from a specific update cluster,” the company said in an advisory issued on January 22, 2026. 

“The issue resulted from unauthorized access to the regional update server infrastructure. The incident has been identified and resolved. Comprehensive remediation is available that addresses all observed scenarios.”

Morphisec, which identified the incident on January 20, 2026, said the malicious payload interferes with the regular functionality of the product, effectively preventing automatic remediation. This specifically involves delivering a malicious “Reload.exe” file that’s designed to drop a downloader, which contains functionality to establish persistence, block remote updates, and contact an external server to fetch additional payloads, including “CONSCTLX.exe.”

According to details shared by Kaspersky, “Reload.exe” – a legitimate file located in “C:Program Files (x86)escanreload.exe” – is replaced with a rogue counterpart that can prevent further antivirus product updates by modifying the HOSTS file. It’s signed with a fake, invalid digital signature.

“When started, this reload.exe file checks whether it is launched from the Program Files folder, and exits if not,” the Russian cybersecurity company said. “This executable is based on the UnmanagedPowerShell tool, which allows executing PowerShell code in any process. Attackers have modified the source code of this project by adding an AMSI bypass capability to it, and used it to execute a malicious PowerShell script inside the reload.exe process.”

The primary responsibility of the binary is to launch three Base64-encoded PowerShell payloads, which are designed to –

  • Tamper with the installed eScan solution to prevent it from receiving updates and detecting the installed malicious components
  • Bypass Windows Antimalware Scan Interface (AMSI)
  • Check whether the victim machine should be further infected, and if yes, deliver a PowerShell-based payload to it

The victim validation step examines the list of installed software, running processes, and services against a hard-coded blocklist that includes analysis tools and security solutions, including those from Kaspersky. If they are detected, no further payloads are delivered.

The PowerShell payload, once executed, contacts an external server to receive two payloads in return: “CONSCTLX.exe” and a second PowerShell-based malware that’s launched by means of a scheduled task. It’s worth noting that the first of the three aforementioned PowerShell scripts also replaces the “C:Program Files (x86)eScanCONSCTLX.exe” component with the malicious file.

“CONSCTLX.exe” works by launching the PowerShell-based malware, alongside changing the last update time of the eScan product to the current time by writing the current date to the “C:Program Files (x86)eScanEupdate.ini” file so as to give the impression that the tool is working as expected.

The PowerShell malware, for its part, performs the same validation procedures as before and sends an HTTP request to the attacker-controlled infrastructure to receive more PowerShell payloads from the server for subsequent execution.

The eScan bulletin does not say which regional update server was affected, but Kaspersky’s analysis of telemetry data has revealed “hundreds of machines belonging to both individuals and organizations” that encountered infection attempts with payloads related to the supply chain attack. These machines are mainly located in India, Bangladesh, Sri Lanka, and the Philippines.

The security outfit also noted that the attackers had to have studied the internals of eScan in detail to understand how its update mechanism worked and how it could be tampered with to distribute malicious updates. It’s currently not known how the threat actors managed to secure access to the update server.

“Notably, it is quite unique to see malware being deployed through a security solution update,” it said. “Supply chain attacks are a rare occurrence in general, let alone the ones orchestrated through antivirus products.”



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleOpen VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm
Next Article Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users
Team-CWD
  • Website

Related Posts

News

Phorpiex Phishing Delivers Low-Noise Global Group Ransomware

February 10, 2026
News

APT28 Uses Microsoft Office CVE-2026-21509 in Espionage-Focused Malware Attacks

February 10, 2026
News

“Digital Parasite” Warning as Attackers Favor Stealth for Extortion

February 10, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Exploit Threat Intel Platforms For Phishing

September 7, 20256 Views

U.S. Treasury Sanctions DPRK IT-Worker Scheme, Exposing $600K Crypto Transfers and $1M+ Profits

September 5, 20256 Views

Ukrainian Ransomware Fugitive Added to Europe’s Most Wanted

September 11, 20255 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Exploit Threat Intel Platforms For Phishing

September 7, 20256 Views
Our Picks

How to help older family members avoid scams

October 31, 2025

Why you should never pay to get paid

September 15, 2025

How chatbots can help spread scams

October 14, 2025

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.