The update infrastructure of eScan antivirus, a security product developed by Indian cybersecurity firm MicroWorld Technologies, has been compromised in a supply chain attack that allowed unknown threat actors to distribute multi-stage malware to both enterprise and consumer systems.
According to Morphisec researcher Michael Gorelik, the attackers abused eScan’s legitimate update mechanism to push malicious updates, resulting in the deployment of a persistent downloader across affected endpoints worldwide. The malicious updates interfered with the normal functioning of the antivirus software, effectively preventing automatic remediation.
MicroWorld Technologies confirmed that it detected unauthorized access to its infrastructure and immediately isolated the affected update servers, which remained offline for more than eight hours. The company has since released a corrective patch that reverts the malicious changes. Impacted organizations have been advised to directly contact MicroWorld Technologies to obtain and apply the fix.
Limited-Time Supply Chain Compromise
MicroWorld stated that the incident was caused by unauthorized access to the configuration of one of its regional update servers. This access enabled attackers to distribute a corrupted update during a limited window of approximately two hours on January 20, 2026.
In an advisory issued on January 22, 2026, the company said that a subset of customers was affected, specifically those whose systems automatically downloaded updates from a particular update cluster during the compromised timeframe. MicroWorld added that the issue has been fully identified and resolved, and comprehensive remediation is available for all observed scenarios.
Morphisec, which first detected the attack on January 20, 2026, reported that the malicious update delivered a rogue binary named “Reload.exe.” This file was designed to act as a downloader capable of establishing persistence, blocking further antivirus updates, and contacting an external server to fetch additional payloads, including a file named “CONSCTLX.exe.”
Abuse of Legitimate Components
Kaspersky’s analysis revealed that the attackers replaced a legitimate eScan component located at “C:\Program Files (x86)\eScan\reload.exe” with a malicious version. The rogue file was signed using an invalid and fake digital signature and modified the system’s HOSTS file to prevent future antivirus updates.
The malicious Reload.exe checks whether it is executed from the Program Files directory and terminates if launched from elsewhere. Kaspersky noted that the binary is based on the UnmanagedPowerShell tool, which allows PowerShell code execution within any process. The attackers modified the source code to include an AMSI bypass, enabling the execution of a malicious PowerShell script within the Reload.exe process.
The primary function of this binary is to decode and execute three Base64-encoded PowerShell payloads that are responsible for:
- Tampering with the installed eScan solution to block updates and evade detection
- Bypassing the Windows Antimalware Scan Interface (AMSI)
- Validating the victim system and deciding whether to deliver additional malware
The validation process checks installed software, running processes, and services against a hard-coded blocklist containing analysis tools and security products, including solutions from Kaspersky. If such tools are detected, no further payloads are deployed.
Persistence and Ongoing Payload Delivery
If a system passes the validation checks, the PowerShell payload contacts an attacker-controlled server to retrieve two additional components. These include “CONSCTLX.exe” and another PowerShell-based malware that is executed using a scheduled task.
The first PowerShell script also replaces the legitimate “C:\Program Files (x86)\eScan\CONSCTLX.exe” file with a malicious version. This component launches the PowerShell malware and manipulates the “Eupdate.ini” file to update the last scan timestamp, creating the illusion that the antivirus software is operating normally.
The PowerShell malware continues the infection chain by repeating system validation and sending HTTP requests to attacker infrastructure to download further PowerShell payloads for execution.
Scope and Impact
While MicroWorld has not disclosed which regional update server was affected, Kaspersky telemetry data indicates that hundreds of machines, belonging to both individuals and organizations, encountered infection attempts related to the attack. The majority of impacted systems were located in India, Bangladesh, Sri Lanka, and the Philippines.
Security researchers emphasized that the attackers demonstrated a deep understanding of eScan’s internal architecture and update mechanisms, suggesting significant prior reconnaissance. The exact method used to gain access to the update server remains unknown.
Kaspersky noted that malware delivery through an antivirus update mechanism is highly unusual. Supply chain attacks are already considered rare, and incidents involving the compromise of security software updates are even less common, underscoring the severity of this breach.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
