On January 20, 2026, MicroWorld Technologies' eScan antivirus platform was the target of a sophisticated supply chain attack in which threat actors gained access to legitimate update infrastructure in order to spread multi-stage malware to consumer and enterprise endpoints across the globe. After being notified by security researchers, the vendor took its global update system offline for more than eight hours and isolated the impacted infrastructure within an hour. Thousands of users must contact eScan directly for manual intervention due to the critical nature of the attack, where malicious payloads purposefully disable eScan's functionality and block automatic updates.

Payload Chain and Attack Techniques According to security analysis from Morphisec, the compromise deployed a three-stage attack architecture designed for persistence and defense evasion.

Reload.exe is replaced by malicious code in the first trojanized eScan component, which releases CONSCTLX.exe, a 64-bit persistent downloader that can carry out arbitrary PowerShell commands and maintain command-and-control communications. In order to prevent legitimate updates and block security communications, the second stage manipulates hosts files and eScan registry settings while creating persistence through scheduled tasks hidden within Windows\Defrag\ directories using naming patterns like “CorelDefrag." The attack's anti-remediation capabilities are what make it so sophisticated.

Threat actors made sure that standard automatic patching would fail by purposefully tampering with eScan's update mechanism and registry configurations. This forced organizations to use reactive manual remediation workflows. The attack window is greatly extended by this strategic design decision, which also raises the possibility of successful lateral movement or secondary payload deployment prior to remediation.

The primary trojanized Reload.exe file must be found right away by organizations using the SHA-256 hash 36ef2ec9ada035c56644f677dab65946798575e1d8b14f1365f22d7c68269860, along with two additional related samples found on VirusTotal. Registry searches for suspicious GUID-named keys under HKLM\Software\ containing encoded byte array data should be the top priority for detection teams. They should also check hosts files for entries preventing eScan update infrastructure and examine Windows\Defrag\ scheduled tasks for unexpected entries.

Identified C2 domains, such as vhs.delrosal.net, tumama.hns.to, blackice.sol-domain.org, and codegiant.io, as well as IP 185.241.208.115, must be blocked by network security teams. eScan has released patches to restore functionality, but affected systems need manual intervention before standard updates can reinstall.

Stage 1: Details of the Trojanized eScan Component Reload.exe (32-bit) Hash/Value Affected File The main malicious payload SHA-256 Primary Hash: 36ef2ec9ada035c56644f677dab65946798575e1d8b14f1365f22d7c68269860 Delivered payload associated with Sample 1 virus observedTotal submission: 674943387cc7e0fd18d0d6278e6e4f7a0f3059ee6ef94e0976fae6954ffd40dd Related Sample 2 Virus Total submission: 386a16926aff225abc31f73e8e040ac0c53fb093e7daf3fbd6903c157d88958c Code Signing Certificate Microworld Technologies Inc. is the issuer of eScan. A legitimate certificate that has been abused The thumbprint 76B0D9D51537DA06707AFA97B4AE981ED6D03483 For the purpose of validation Stage 2: Infrastructure for Command and Control Unconfirmed C2 Domain/IP Status Type hxxps://vhs.delrosal.net/i Unconfirmed Domain (Defanged): hxxps://blackice.sol-domain.org Domain (Defanged): hxxps://tumama.hns.to Unverified Domain (Defanged): hxxps://codegiant.io/dd/dd/dd.git/download/main/middleware.ts 504e1a42.host.njalla.net is an unconfirmed domain path (defanged). Unverified Subdomain 185.241.208.115 Unconfirmed IP Address Stage 3: Persistent Downloader Filename SHA-256 Hash CONSCTLX.exe (64-bit) bec369597633eac7cc27a698288e4ae8d12bdd9b01946e73a28e1423b17252b1 Persistence Mechanisms Persistence Type Location/Key Details Scheduled Tasks C:\Windows\Defrag\ Pattern: Windows\DefragDefrag Task Example Windows\Defrag\CorelDefrag Observed variant Registry Persistence HKLM\Software Encoded PowerShell payload (byte array) Hosts File Tampering C:\Windows\System32\drivers\etc\hosts eScan Update Server Blocks eScan Registry Interfering withExamine the product configuration keys.

Turns off valid updates First, Directory Marker program data Occasionally produced as a marking indicator