Recent reports have surfaced regarding issues with the popular antivirus program, eScan, prompting a thorough internal investigation by MicroWorld Technologies. Users have expressed concerns about the integrity of the software, leading to the discovery that a threat actor had infiltrated their systems.
Details of the Incident
According to findings shared by BleepingComputer, the compromised update servers were exploited to distribute malware to customers who downloaded updates during a specific two-hour window on January 20, 2026. While the exact number of affected users remains unclear, MicroWorld Technologies has taken swift action by isolating the compromised infrastructure and refreshing credentials. The company has also reached out to those impacted to assist with remediation efforts.
Importantly, the eScan product itself was not altered, and the victims appear to be limited to a particular regional cluster, minimizing the potential fallout.
Nature of the Malware
Security researchers from Morphisec have analyzed the malicious payload, which has been identified as CONSCTLX. This multi-stage malware is designed for both enterprise and consumer endpoints, functioning as a backdoor and persistent downloader. It enables threat actors to maintain access to the device, execute commands, modify the Windows HOSTS file, and connect to command-and-control (C2) infrastructure for additional payloads.
While the identity of the attackers remains unknown, it is worth noting that in 2024, North Korean cybercriminals were reported to have exploited the update mechanism in eScan to infiltrate corporate networks with various backdoors.
MicroWorld Technologies has not disclosed the total number of eScan users but has emphasized that it has provided support to “millions” of customers to date.
