What Happened
On January 20, 2026, attackers breached a regional update server belonging to MicroWorld Technologies, the developer of eScan antivirus software, and injected malicious code into the update distribution pipeline. The trojanized update was delivered to customers during a two-hour window before detection.
How They Got In
The attackers compromised an eScan regional update distribution server and modified the legitimate update payload to include malicious components. The trojanized update was digitally signed, allowing it to bypass security controls that validate code integrity.
Malware Capabilities
The primary payload, Reload.exe, connected to attacker-controlled command and control infrastructure for additional payload delivery. It modified the Windows hosts file to block eScan update domains, tampered with eScan registry entries to prevent remote updates, and established persistence via scheduled tasks.
A secondary payload called ConsCtl.exe acted as a persistent downloader dropped by the primary payload. It was capable of fetching additional malware on systems where eScan was the primary security solution.
Why This Was Dangerous
The combination of blocking antivirus updates and establishing persistent access created a particularly dangerous scenario. Compromised systems were left without security updates while maintaining an open backdoor for further exploitation.
Timeline
On January 20, 2026, the update server was compromised and the trojanized update distributed during a two-hour window. eScan detected the incident via internal monitoring the same day and isolated affected infrastructure within one hour. The global update system was taken offline for more than eight hours. Morphisec published an advisory on January 27, and eScan disputed portions of their findings on January 29.
This Has Happened Before
In 2024, security firm Avast discovered that North Korean state-sponsored hackers linked to the Kimsuky group had previously exploited the same eScan update mechanism to deploy backdoors and cryptominers inside corporate networks. This repeat exploitation of the same update infrastructure raises serious questions about the adequacy of post-incident security hardening.
Remediation Steps
eScan has released a utility that removes the malware, rolls back hosts file and registry modifications, and restores normal antivirus functionality. Administrators should check scheduled tasks for unfamiliar persistence mechanisms, review the hosts file for blocked eScan domains, examine eScan update logs from January 20, contact eScan support for the remediation utility, and conduct a full system scan with an independent security tool.