MicroWorld Technologies confirmed that attackers breached one of its eScan antivirus regional update servers on January 20, 2026, distributing trojanized updates to customers during approximately a two-hour window. The malicious payload was signed with what appeared to be a legitimate certificate, allowing it to bypass integrity checks.
Incident overview
| Attribute | Details |
|---|
| Vendor | MicroWorld Technologies (eScan) |
| Incident date | January 20, 2026 |
| Attack type | Supply chain compromise |
| Exposure window | ~2 hours |
| Detection method | Internal monitoring |
| Response time | ~1 hour to isolation |
| System downtime | 8+ hours for rebuild |
Attack architecture
The compromise deployed a three-stage attack designed for persistence and defense evasion:
Stage 1: Initial compromise
| Element | Details |
|---|
| Target file | C:\Program Files (x86)\escan\reload.exe |
| Action | Legitimate file replaced with trojanized version |
| Signature | Fake digital signature to bypass integrity checks |
Stage 2: Persistent downloader
| Element | Details |
|---|
| Dropped file | CONSCTLX.exe |
| Architecture | 64-bit executable |
| Capabilities | Arbitrary PowerShell execution, C2 communications |
| Persistence | Scheduled task and registry modifications |
Stage 3: Defense evasion
| Element | Details |
|---|
| Target | Windows hosts file |
| Action | Map eScan domains to non-routable address |
| Address used | 2.3.4.0 |
| Effect | Prevents future updates and remediation |
The hosts file modification is particularly insidious—it blocks the antivirus from receiving legitimate updates or security team-pushed remediation, forcing manual intervention.
Indicators of compromise
C2 infrastructure
| Type | Indicator |
|---|
| Domain | vhs.delrosal[.]net |
| Domain | tumama.hns[.]to |
| Domain | blackice.sol-domain[.]org |
| Domain | codegiant[.]io |
| Domain | csc.biologii[.]net |
| Domain | airanks.hns[.]to |
| IP address | 185.241.208.115 |
File system indicators
| Path | Indicator |
|---|
| Log file | C:\ProgramData\euapp.log |
| Backup/staging | C:\ProgramData\esfsbk |
| Scheduled task | CorelDefrag |
Registry indicators
| Key | Value |
|---|
HKLM\Software\E9F9EEC3-86CA-4EBE-9AA4-1B55EE8D114E | Malware presence indicator |
HKLM\SOFTWARE\WOW6432Node\MicroWorld\eScan for Windows\ODS | WTBases_new = 999 |
Hosts file modification
| Check | Details |
|---|
| Location | C:\Windows\System32\drivers\etc\hosts |
| Pattern | eScan domains mapped to 2.3.4.0 |
Geographic distribution
Kaspersky telemetry identified hundreds of infected machines, primarily in South Asia:
| Region | Concentration |
|---|
| India | Primary |
| Bangladesh | Significant |
| Sri Lanka | Significant |
| Philippines | Significant |
MicroWorld disputes the scope, claiming the incident was “limited to a small number of systems in a specific region.”
Conflicting accounts
| Source | Claim |
|---|
| Morphisec | ”Critical supply chain compromise” affecting customers globally |
| MicroWorld | ”Limited to small number of systems in specific region” |
| Morphisec | Writeup is accurate |
| MicroWorld | Writeup is “factually inaccurate” on multiple points |
Response timeline
| Time | Action |
|---|
| January 20, 2026 | Attack occurs during ~2-hour window |
| +1 hour | MicroWorld detects via internal monitoring |
| +1 hour | Affected infrastructure isolated |
| +8 hours | Global update system offline for rebuild |
| January 29, 2026 | Public disclosure |
MicroWorld states they rebuilt from clean backups and have released a remediation utility.
This has happened before
This is the second time eScan’s update mechanism has been exploited.
2024 GuptiMiner campaign
| Attribute | Details |
|---|
| Discoverer | Avast |
| Attribution | North Korea-linked Kimsuky |
| Campaign name | GuptiMiner |
| Attack type | Man-in-the-middle on update process |
| Vulnerability age | At least 5 years before patch |
| Patch date | July 2023 |
| Targets | Large corporate networks |
GuptiMiner technical details
| Technique | Description |
|---|
| Update interception | No HTTPS on update downloads |
| Package replacement | Malware-laced update substituted on the wire |
| Persistence | PNG loader dropped during shutdown events |
| Evasion | Anti-VM and anti-debug tricks |
| Storage | Payloads in Windows Registry |
| Trust abuse | Root certificate added to Windows store |
The earliest identified GuptiMiner sample dates to April 2018, suggesting the vulnerability was exploited for years before discovery.
Architecture concerns
| Issue | 2024 Attack | 2026 Attack |
|---|
| Update mechanism | Exploited | Exploited |
| Vector | MitM on HTTP updates | Server compromise |
| Duration | Years | Hours |
| Geographic focus | Corporate networks | South Asia |
The recurring compromise of the same update channel raises questions about the security architecture of eScan’s distribution infrastructure.
| Step | Action |
|---|
| 1 | Search for scheduled task CorelDefrag |
| 2 | Check C:\ProgramData\ for euapp.log and esfsbk |
| 3 | Inspect hosts file for blocked eScan domains |
| 4 | Query registry for GUID-named keys |
| 5 | Review network logs for C2 connections |
If indicators present
| Action | Details |
|---|
| Assume compromise | System should be treated as fully compromised |
| Isolate system | Remove from network immediately |
| Contact MicroWorld | Obtain remediation utility |
| Forensic analysis | Determine scope of access |
| Password rotation | Any credentials accessible from system |
| Challenge | Impact |
|---|
| Hosts file modification | Standard patching won’t work |
| Update blocking | Can’t push fix remotely |
| Manual intervention | Each system requires individual attention |
| User awareness | Many users unaware they’re affected |
Recommendations
For eScan customers
| Priority | Action |
|---|
| Immediate | Check for IOCs listed above |
| Immediate | Contact MicroWorld support if indicators found |
| High | Verify hosts file hasn’t been modified |
| High | Ensure scheduled tasks are legitimate |
| Ongoing | Monitor for suspicious activity |
For organizations using endpoint AV
| Priority | Action |
|---|
| High | Evaluate supply chain security of AV vendors |
| High | Implement network monitoring for AV infrastructure |
| Medium | Consider defense-in-depth beyond single AV |
| Ongoing | Monitor vendor security advisories |
For security teams
| Focus | Consideration |
|---|
| Vendor assessment | How does the vendor secure their update infrastructure? |
| Detection coverage | Can you detect hosts file modifications? |
| Update verification | Is there integrity checking beyond signatures? |
| Incident response | What’s the plan if your AV becomes the threat? |
Context
Security software supply chain attacks are particularly damaging because:
- AV has elevated privileges on endpoint systems
- Users trust updates from security vendors
- Detection is difficult when the detector is compromised
- Remediation is complex when the update channel is blocked
The fact that eScan’s update mechanism has been compromised twice in three years—first via protocol weakness, now via server compromise—suggests fundamental architectural issues that may require more than incremental fixes to address.
Organizations dependent on eScan should weigh whether continued use is appropriate given the demonstrated attack surface of the product’s update infrastructure.
