eScan Update Server Breach Used to Distribute Malicious Payload

Antivirus provider eScan has confirmed a security breach where attackers compromised one of its regional update servers to distribute malicious software disguised as legitimate updates. The incident, occurring during a two-hour window on January 20, 2026, delivered malware that disabled security protections and established persistent backdoors on affected systems.

According to MicroWorld Technologies (eScan's parent company), unauthorized access to a regional update server configuration allowed attackers to place a malicious file in the update distribution path. This 'corrupt update' was delivered only to customers using the compromised regional cluster during the attack window. eScan emphasized this wasn't a product vulnerability but an infrastructure compromise, stating: "Unauthorized access to one of our regional update server configurations resulted in an incorrect file being placed in the update distribution path."

Security firm Morphisec published technical analysis indicating the malicious update deployed a modified version of eScan's Reload.exe component. This file (VirusTotal analysis) was signed with an invalidated eScan certificate and performed multiple malicious actions:

• Blocked connections to eScan servers by modifying the system's HOSTS file
• Created persistence mechanisms via scheduled tasks named "CorelDefrag"
• Downloaded additional payloads from command-and-control servers including vhs.delrosal.net and 185.241.208.115
• Deployed a final backdoor payload (CONSCTLX.exe, VirusTotal analysis) acting as a persistent downloader

Affected users reported update service failures, inability to receive security definition updates, and uninstallation warnings. eScan disputes Morphisec's claim of first discovery, stating internal monitoring detected the incident on January 20 followed by customer reports. The company isolated compromised infrastructure within hours, rotated credentials, and rebuilt systems.

Practical Implications for Organizations

1. Verify Update Integrity: Monitor for unexpected update failures or certificate validation errors. The malicious Reload.exe showed invalid signatures despite using eScan's certificate.
2. Block Confirmed C2 Servers: Immediately block traffic to identified command servers:
   • vhs.delrosal[.]net
   • tumama.hns[.]to
   • blackice.sol-domain[.]org
   • codegiant.io/dd/dd/dd.git
   • 504e1a42.host.njalla[.]net
   • 185.241.208.115
3. Check for Compromise Indicators: Search systems for:
   • Modified HOSTS file entries blocking eScan domains
   • Scheduled tasks named "CorelDefrag"
   • Processes Reload.exe or CONSCTLX.exe with invalid digital signatures
4. Apply eScan Remediation: Run eScan's cleanup utility which:
   • Reverses malicious modifications
   • Restores update functionality
   • Requires system reboot

Broader Security Considerations

This incident follows a 2024 pattern where North Korean hackers exploited eScan's update mechanism. Organizations should implement:

• Update Source Verification: Use hash validation for critical updates beyond digital certificates
• Network Segmentation: Isolate update servers from broader internal networks
• Behavioral Monitoring: Detect update processes modifying system files like HOSTS

While eScan states only a "small subset" of customers were affected, the breach underscores how compromised update infrastructures can bypass traditional security controls. As supply chain attacks evolve, continuous verification of update integrity becomes essential for endpoint security.