Threat actors were able to take control of the vendor's legitimate update infrastructure in order to spread malware, resulting in a significant supply chain breach that affected MicroWorld Technologies' eScan antivirus product. The attack, which Morphisec discovered on January 20, 2026, used a trojanized update package to spread multi-stage malware throughout consumer and business endpoints worldwide. The incident specifically tampers with system configurations to prevent automatic remediation, rendering the antivirus software ineffective.

Trojanized Attack Chain and Update Mechanism A malicious update that was distributed directly through eScan's official channels was what started the compromise. "Stage 1" of the attack chain starts when a trojanized component takes the place of the authentic Reload.exe (32-bit) binary.

The malicious executable, according to Morphisec, is digitally signed with a legitimate certificate from "eScan (Microworld Technologies Inc.)," which enables it to get around common trust checks. Learn more about the cloud Using cyber VPN services to hack news alerts Courses for cybersecurity training Safe web hosting Training in ethical hacking Exploit NLog This payload releases CONSCTLX.exe, a "Stage 3" downloader, after it has been executed. A "Stage 2" downloader creates persistence and employs defense evasion techniques after the initial breach.

This stage is especially aggressive; it disables security features by manipulating the Windows Registry and using PowerShell execution. The malware connects to Command and Control (C2) infrastructure to retrieve additional payloads, effectively turning the security tool into a gateway for further compromise.

This campaign's emphasis on "anti-remediation" is one of its distinguishing features. In order to prevent communication with eScan's update servers, the malware actively alters the hosts file on the compromised system. In order to permanently disrupt the antivirus's update mechanism, it also modifies particular eScan registry keys and configuration files.

As a result, even after the vendor restores their infrastructure, compromised systems remain vulnerable because they are unable to receive automatic patches or definitions. The creation of dishonest Scheduled Tasks in C:\Windows\Defrag is how persistence is accomplished. The malware creates tasks with a naming pattern that resembles genuine system processes, like Windows\Defrag\CorelDefrag. Additionally, randomly generated GUID keys containing encoded PowerShell payloads are used to establish registry persistence under HKLM\Software.

Compromise Indicators (IOCs) Businesses that use eScan antivirus are advised to check their environments right away for the following signs. The existence of these files indicates a compromise that calls for manual intervention; therefore, automatic remediation is not feasible. Description of the Component SHA-256 is the filename.

Stage 1 of the Hash Trojanized Update Payload Reload[. ]exe (32-bit) 36ef2ec9ada035c56644f677dab65946798575e1d8b14f1365f22d7c68269860 Stage 3 Downloader CONSCTLX[. ]exe (64-bit) Network Indicators and C2 Infrastructure Related Sample N/A 674943387cc7e0fd18d0d6278e6e4f7a0f3059ee6ef94e0976fae6954ffd40dd Related Sample N/A 386a16926aff225abc31f73e8e040ac0c53fb093e7daf3fbd6903c157d88958c.

Domain/IP Context hxxps[://]vhs[.]delrosal[. ]net/i C2 Infrastructure hxxps[://]tumama[.]hns[. ]to C2 Infrastructure hxxps[://]blackice[.]sol-domain[.

]org C2 Infrastructure 504e1a42.host.njalla.net Malicious Host 185.241.208[. ]115 Malicious IP Remediation and Mitigation Measures Automatic updates will not work on compromised computers because the malware essentially disrupts the antivirus software's update mechanism. In order to isolate the infrastructure, eScan reportedly took the global update system offline for more than eight hours, but this did not clean up endpoints that were already infected. Learn more Feeds of threat intelligence Reports on threat intelligence Tools for ethical hacking Take advantage of malware removal services Apps for secure messaging Guide to Hacker Tools Malware for WordPress security plugins Systems using eScan that were operational on or after January 20, 2026, require cloud administrators to assume compromise.

Checking the hosts file for entries that prevent eScan domains and looking for suspicious GUID keys with byte array data in the registry are immediate actions. For a specialized manual patch intended to reverse the configuration changes and restore the updater's functionality, impacted organizations must get in touch with MicroWorld Technologies (eScan) directly. For daily cybersecurity updates, check out LinkedIn and X.

To have your stories featured, get in touch with us.