A significant breach in the supply chain has impacted MicroWorld Technologies’ eScan antivirus product, as malicious actors have successfully commandeered the vendor’s legitimate update infrastructure to disseminate malware. This alarming discovery, made on January 20, 2026, by Morphisec, revealed that the attack employed a trojanized update package, enabling the deployment of multi-stage malware across both enterprise and consumer endpoints worldwide.
The ramifications of this incident are severe, rendering the antivirus software ineffective and specifically manipulating system configurations to obstruct automatic remediation efforts.
Trojanized Update Mechanism and Attack Chain
The compromise initiated through a malicious update delivered directly via eScan’s official channels. The attack chain commences with “Stage 1,” where a trojanized component replaces the legitimate Reload.exe (32-bit) binary. Morphisec noted that this malicious executable is digitally signed with a valid certificate belonging to “eScan (Microworld Technologies Inc.),” enabling it to circumvent standard trust verifications.
Upon execution, this payload drops a “Stage 3” downloader identified as CONSCTLX.exe. Following this initial breach, a “Stage 2” downloader establishes persistence and executes defense evasion maneuvers. This stage is particularly aggressive, utilizing PowerShell execution and tampering with the Windows Registry to disable security features.
The malware connects to Command and Control (C2) infrastructure to retrieve additional payloads, effectively transforming the security tool into a gateway for further compromise. A notable aspect of this campaign is its emphasis on “anti-remediation.” The malware actively alters the infected system’s hosts file to obstruct communication with eScan’s update servers. Additionally, it modifies specific eScan registry keys and configuration files, permanently disrupting the antivirus’s update mechanism.
As a result, infected systems are unable to receive automatic patches or definitions, leaving them vulnerable even after the vendor restores their infrastructure. Persistence is achieved through the creation of deceptive Scheduled Tasks located in C:WindowsDefrag, employing a naming pattern that mimics legitimate system processes, such as WindowsDefragCorelDefrag. Furthermore, registry persistence is established under HKLMSoftware using randomly generated GUID keys containing encoded PowerShell payloads.
Indicators of Compromise (IOCs)
Organizations utilizing eScan antivirus are strongly advised to conduct immediate scans of their environments for the following indicators. It is important to note that automatic remediation is not feasible; the presence of these files signifies a compromise that necessitates manual intervention.
| Component Description | Filename | SHA-256 Hash |
|---|---|---|
| Stage 1 Payload (Trojanized Update) | Reload[.]exe (32-bit) | 36ef2ec9ada035c56644f677dab65946798575e1d8b14f1365f22d7c68269860 |
| Stage 3 Downloader | CONSCTLX[.]exe (64-bit) | bec369597633eac7cc27a698288e4ae8d12bdd9b01946e73a28e1423b17252b1 |
| Related Sample | N/A | 674943387cc7e0fd18d0d6278e6e4f7a0f3059ee6ef94e0976fae6954ffd40dd |
| Related Sample | N/A | 386a16926aff225abc31f73e8e040ac0c53fb093e7daf3fbd6903c157d88958c |
Network Indicators and C2 Infrastructure
Network administrators are urged to block egress traffic to the following domains, which have been identified as components of the attacker’s command and control infrastructure.
| Domain / IP | Context |
|---|---|
| hxxps[://]vhs[.]delrosal[.]net/i | C2 Infrastructure |
| hxxps[://]tumama[.]hns[.]to | C2 Infrastructure |
| hxxps[://]blackice[.]sol-domain[.]org | C2 Infrastructure |
| 504e1a42.host.njalla.net | Malicious Host |
| 185.241.208[.]115 | Malicious IP |
As the malware effectively disrupts the update mechanism of the antivirus software, automatic updates will fail on compromised machines. eScan has reportedly taken the global update system offline for over eight hours to isolate the infrastructure; however, this action does not cleanse already infected endpoints.
Administrators must assume compromise for systems running eScan that were active on or after January 20, 2026. Immediate actions include verifying the hosts file for entries blocking eScan domains and inspecting the registry for suspicious GUID keys containing byte array data. Affected organizations are advised to contact MicroWorld Technologies (eScan) directly to obtain a specialized manual patch designed to revert the configuration changes and restore the updater’s functionality.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
