The update infrastructure for eScan antivirus, a security solution developed by Indian cybersecurity company MicroWorld Technologies, has been compromised by unknown attackers to deliver a persistent downloader to enterprise and consumer systems.
“Malicious updates were distributed through eScan’s legitimate update infrastructure, resulting in the deployment of multi-stage malware to enterprise and consumer endpoints globally,” Morphisec researcher Michael Gorelik said.
MicroWorld Technologies has revealed that it detected unauthorized access to its infrastructure and immediately isolated the impacted update servers, which remained offline for over eight hours. It has also released a patch that reverts the changes introduced as part of the malicious update. Impacted organizations are recommended to contact MicroWorld Technologies to obtain the fix.
It also pinned the attack as resulting from unauthorized access to one of its regional update server configurations, which enabled the threat actors to distribute a “corrupt” update to customers during a “limited timeframe” of about two hours on January 20, 2026.
“eScan experienced a temporary update service disruption starting January 20, 2026, affecting a subset of customers whose systems automatically download updates during a specific timeframe, from a specific update cluster,” the company said in an advisory issued on January 22, 2026.
“The issue resulted from unauthorized access to the regional update server infrastructure. The incident has been identified and resolved. Comprehensive remediation is available that addresses all observed scenarios.”
Morphisec, which identified the incident on January 20, 2026, said the malicious payload interferes with the regular functionality of the product, effectively preventing automatic remediation. This specifically involves delivering a malicious “Reload.exe” file that’s designed to drop a downloader, which contains functionality to establish persistence, block remote updates, and contact an external server to fetch additional payloads, including “CONSCTLX.exe.”
According to details shared by Kaspersky, “Reload.exe” – a legitimate file located in “C:\Program Files (x86)\escan\reload.exe” – is replaced with a rogue counterpart that can prevent further antivirus product updates by modifying the HOSTS file. It’s signed with a fake, invalid digital signature.
“When started, this reload.exe file checks whether it is launched from the Program Files folder, and exits if not,” the Russian cybersecurity company said. “This executable is based on the UnmanagedPowerShell tool, which allows executing PowerShell code in any process. Attackers have modified the source code of this project by adding an AMSI bypass capability to it, and used it to execute a malicious PowerShell script inside the reload.exe process.”
The primary responsibility of the binary is to launch three Base64-encoded PowerShell payloads, which are designed to –
- Tamper with the installed…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
