The update infrastructure used by eScan antivirus, a security solution developed by Indian cybersecurity company MicroWorld Technologies, has been compromised by unknown attackers, resulting in the delivery of malicious software through trusted update channels. The incident has raised concerns within the cybersecurity community, as attackers leveraged the legitimacy of an antivirus update mechanism to distribute a persistent downloader to both enterprise and consumer systems, highlighting ongoing risks associated with software supply chains.
Security researchers confirmed that malicious updates were pushed through eScan’s legitimate update infrastructure, enabling the deployment of multi stage malware across affected endpoints globally. According to Morphisec researcher Michael Gorelik, the malicious payload disrupted the normal operation of the security product, preventing automatic remediation and allowing attackers to maintain a foothold on infected systems. MicroWorld Technologies disclosed that it detected unauthorized access to a portion of its infrastructure and immediately isolated the affected update servers, which remained offline for more than eight hours as part of containment efforts. The company also released a patch designed to revert the unauthorized changes introduced during the attack and advised impacted organizations to contact MicroWorld Technologies directly to obtain the remediation fix. The company attributed the incident to unauthorized access to the configuration of a regional update server, which allowed attackers to distribute a corrupted update during a limited window of approximately two hours on January 20, 2026. In an advisory issued on January 22, MicroWorld Technologies confirmed a temporary disruption to update services that affected a subset of customers whose systems automatically downloaded updates from a specific update cluster during that timeframe.
Technical analysis conducted by multiple security vendors revealed that the attack involved the replacement of a legitimate Reload.exe file located within the eScan installation directory with a malicious version engineered to deploy a downloader. This rogue binary was designed to establish persistence, block remote updates, and communicate with an external server to retrieve additional payloads, including a file named CONSCTLX.exe. Kaspersky researchers reported that the altered Reload.exe carried a fake and invalid digital signature and modified the system HOSTS file to prevent further antivirus updates from being applied. The executable was based on a modified variant of the UnmanagedPowerShell tool and incorporated an Antimalware Scan Interface bypass capability, allowing malicious PowerShell scripts to execute within a trusted process. Once launched, the compromised binary deployed multiple Base64 encoded PowerShell payloads that tampered with eScan’s detection and update mechanisms, bypassed AMSI protections, and assessed whether the infected system met criteria for further compromise.
The validation process performed by the malware examined installed software, running processes, and active services against a hard coded blocklist that included analysis tools and security products, including those from Kaspersky. Systems that passed this screening received additional payloads from attacker controlled infrastructure. These payloads included a malicious replacement for CONSCTLX.exe and another PowerShell based component that was executed using a scheduled task. The altered CONSCTLX.exe manipulated eScan configuration files to update timestamps, creating the appearance that the antivirus product was functioning correctly while malicious activity continued in the background. Telemetry data analyzed by Kaspersky identified hundreds of systems belonging to both individuals and organizations that encountered infection attempts linked to the compromised updates, with most affected machines located in India, Bangladesh, Sri Lanka, and the Philippines. Researchers noted that the attackers demonstrated detailed knowledge of eScan’s internal update mechanisms, suggesting deliberate reconnaissance prior to exploitation. Although the method used to gain access to the update server remains unknown, security experts described the incident as unusual due to malware being distributed through an antivirus update channel itself, underscoring how trusted security infrastructure can be misused when safeguards fail.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
