eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware

The update infrastructure for eScan antivirus, a security solution developed by Indian cybersecurity company MicroWorld Technologies, has been compromised by unknown attackers to deliver a persistent downloader to enterprise and consumer systems. This supply chain attack represents a significant escalation in threat actor tactics, as it exploits the trust users place in security software updates.

Attack Timeline and Discovery

According to Morphisec researcher Michael Gorelik, malicious updates were distributed through eScan's legitimate update infrastructure, resulting in the deployment of multi-stage malware to enterprise and consumer endpoints globally. The incident occurred during a "limited timeframe" of approximately two hours on January 20, 2026.

MicroWorld Technologies detected unauthorized access to its infrastructure and immediately isolated the impacted update servers, which remained offline for over eight hours. The company has since released a patch that reverts the changes introduced as part of the malicious update.

Technical Analysis of the Malware

The attack involves a sophisticated multi-stage malware delivery system that specifically targets eScan antivirus installations. The primary malicious component is a rogue version of "Reload.exe" that replaces the legitimate file located in "C:\Program Files (x86)\escan\reload.exe."

How the Malware Operates

When executed, this malicious reload.exe file performs several critical functions:

• Checks whether it is launched from the Program Files folder and exits if not
• Is based on the UnmanagedPowerShell tool, allowing PowerShell code execution in any process
• Includes an AMSI bypass capability to evade detection
• Executes a malicious PowerShell script within the reload.exe process

The primary responsibility of the binary is to launch three Base64-encoded PowerShell payloads, which are designed to:

1. Tamper with the installed eScan solution to prevent it from receiving updates and detecting the installed malicious components
2. Bypass Windows Antimalware Scan Interface (AMSI) to evade detection
3. Validate whether the victim machine should be further infected, and if yes, deliver a PowerShell-based payload to it

Victim Validation Process

The malware employs a sophisticated validation mechanism that examines the list of installed software, running processes, and services against a hard-coded blocklist. This blocklist includes analysis tools and security solutions, particularly those from Kaspersky. If these security tools are detected, no further payloads are delivered, suggesting the attackers want to avoid detection by security researchers.

Payload Delivery Chain

Once a system passes validation, the PowerShell payload contacts an external server to receive two additional payloads:

1. CONSCTLX.exe - A malicious executable that establishes persistence
2. A second PowerShell-based malware - Launched via a scheduled task

The first PowerShell script also replaces the legitimate "C:\Program Files (x86)\eScan\CONSCTLX.exe" component with the malicious file.

CONSCTLX.exe Functionality

This malicious executable performs several critical functions:

• Launches the PowerShell-based malware
• Changes the last update time of the eScan product to the current time by writing the current date to "C:\Program Files (x86)\eScan\Eupdate.ini"
• Creates the impression that the eScan tool is working as expected

The PowerShell malware then performs the same validation procedures and sends an HTTP request to the attacker-controlled infrastructure to receive more PowerShell payloads for subsequent execution.

Geographic Impact and Scope

Kaspersky's analysis of telemetry data has revealed "hundreds of machines belonging to both individuals and organizations" that encountered infection attempts with payloads related to this supply chain attack. The affected machines are primarily located in:

• India
• Bangladesh
• Sri Lanka
• Philippines

This geographic distribution suggests the attackers may have been targeting specific regions or organizations within these countries.

Technical Sophistication

The attack demonstrates a high level of technical sophistication. According to Kaspersky, the attackers had to have studied the internals of eScan in detail to understand how its update mechanism worked and how it could be tampered with to distribute malicious updates.

"Notably, it is quite unique to see malware being deployed through a security solution update," Kaspersky stated. "Supply chain attacks are a rare occurrence in general, let alone the ones orchestrated through antivirus products."

Digital Signature Compromise

The malicious reload.exe file is signed with a fake, invalid digital signature. This indicates the attackers either compromised the signing infrastructure or created a fraudulent certificate to make the malware appear legitimate to systems that trust signed executables.

Mitigation and Response

MicroWorld Technologies has taken several steps to address the incident:

1. Immediate isolation of impacted update servers
2. Release of a patch that reverts the malicious changes
3. Comprehensive remediation available for all observed scenarios
4. Direct communication with impacted organizations

Organizations affected by this incident are recommended to contact MicroWorld Technologies to obtain the fix. The company has stated that the issue has been identified and resolved.

Security Implications

This attack highlights several critical security concerns:

• Supply chain vulnerabilities in security software can have devastating consequences
• Update infrastructure security is paramount for security vendors
• Multi-stage malware delivery can effectively evade traditional security controls
• Regional targeting suggests sophisticated threat actor operations

The fact that attackers specifically targeted a security solution's update mechanism demonstrates their understanding that compromising trusted security software can provide access to high-value targets while evading traditional security controls.

Lessons Learned

This incident provides several important lessons for both security vendors and organizations:

1. Security vendors must implement robust access controls and monitoring for their update infrastructure
2. Organizations should maintain layered security defenses that don't rely solely on endpoint protection
3. Regular security audits of critical infrastructure are essential
4. Incident response plans should account for supply chain compromises
5. Network segmentation can limit the spread of malware delivered through compromised updates

Conclusion

The eScan supply chain attack represents a significant escalation in threat actor tactics, demonstrating that even trusted security solutions can be compromised to deliver sophisticated multi-stage malware. The attack's technical sophistication, geographic targeting, and successful exploitation of update infrastructure trust make it a concerning development in the cybersecurity landscape.

Organizations using eScan antivirus should immediately contact MicroWorld Technologies for remediation guidance and ensure they have applied all available patches. This incident serves as a reminder that security vendors must maintain the highest standards of infrastructure security, as their products are often the last line of defense for their customers.