The recent breach of eScan antivirus, a security solution from MicroWorld Technologies, has raised significant concerns in the cybersecurity landscape. Unknown attackers exploited the company’s update infrastructure to deliver a persistent downloader to both enterprise and consumer systems, as highlighted by Morphisec researcher Michael Gorelik.
Details of the Breach
MicroWorld Technologies confirmed that unauthorized access to its infrastructure was detected, prompting immediate action to isolate the affected update servers. These servers remained offline for over eight hours while the company worked to address the situation. In response, a patch has been released to revert the changes made by the malicious update. Organizations that may have been impacted are advised to reach out to MicroWorld Technologies for assistance in obtaining the fix.
The attack stemmed from unauthorized access to a regional update server configuration, which allowed the attackers to distribute a compromised update to customers within a limited timeframe of approximately two hours on January 20, 2026. The company issued an advisory on January 22, 2026, detailing the temporary disruption of its update service that affected a subset of customers whose systems automatically downloaded updates during that specific window.
Malicious Payload and Its Implications
Morphisec’s investigation revealed that the malicious payload interfered with the normal functionality of eScan, effectively hindering automatic remediation efforts. The attackers introduced a malicious “Reload.exe” file designed to drop a downloader, which not only established persistence but also blocked remote updates and contacted an external server for additional payloads, including “CONSCTLX.exe.”
Kaspersky’s analysis provided further insights, noting that the legitimate “Reload.exe” file located in “C:Program Files (x86)escanreload.exe” was replaced with a rogue version that could prevent further antivirus updates by modifying the HOSTS file. This malicious executable was signed with a fake digital signature and employed sophisticated techniques to evade detection.
Payload Functionality and Targeting
Upon execution, the rogue “Reload.exe” checks its launch context and exits if not initiated from the Program Files folder. This executable, based on the UnmanagedPowerShell tool, has been modified to include an AMSI bypass capability, allowing it to execute a malicious PowerShell script within its process. The primary functions of this binary include:
- Disabling the installed eScan solution from receiving updates and detecting malicious components.
- Bypassing Windows Antimalware Scan Interface (AMSI).
- Assessing whether the victim machine should be further compromised, and if so, delivering a PowerShell-based payload.
The validation step for potential victims involves checking installed software, running processes, and services against a hard-coded blocklist that includes various analysis tools and security solutions, notably those from Kaspersky. If any of these are detected, no further payloads are delivered.
Once executed, the PowerShell payload contacts an external server to retrieve two additional payloads: “CONSCTLX.exe” and another PowerShell-based malware launched via a scheduled task. Notably, the first PowerShell script also replaces the legitimate “CONSCTLX.exe” component with the malicious version.
Wider Impact and Analysis
The malicious “CONSCTLX.exe” operates by launching the PowerShell-based malware while simultaneously altering the last update time of the eScan product to create the illusion of normal functionality. This deceptive tactic involves writing the current date to the “C:Program Files (x86)eScanEupdate.ini” file.
The bulletin from eScan does not specify which regional update server was compromised, but Kaspersky’s telemetry data indicates that hundreds of machines belonging to individuals and organizations, primarily in India, Bangladesh, Sri Lanka, and the Philippines, were targeted during the supply chain attack.
Experts have noted that the attackers demonstrated a deep understanding of eScan’s update mechanism, allowing them to manipulate it for malicious purposes. Supply chain attacks of this nature are relatively rare, particularly those executed through antivirus products, underscoring the unique and concerning nature of this incident.
