On 2026-01-20, eScan's update infrastructure was compromised, leading to the distribution of a multi-stage downloader to enterprise and consumer systems. The breach involved malicious updates replacing the legitimate C:\Program Files (x86)\eScan\reload.exe with a rogue binary.
Malware Distribution and Impact
According to analyses by Morphisec and Kaspersky, the rogue reload.exe utilized an UnmanagedPowerShell-based loader with an AMSI bypass. This allowed it to launch Base64-encoded PowerShell payloads that tampered with eScan, prevented automatic remediation, and established persistence. The malware modified the HOSTS file and contacted attacker-controlled servers to download additional payloads, including CONSCTLX.exe.
The payloads performed victim validation by checking installed software and running processes against a blocklist, aborting if analysis tools were detected. CONSCTLX.exe launched secondary PowerShell malware and manipulated Eupdate.ini to fake the product's last update time.
Response and Recovery
The compromise lasted approximately two hours, after which the affected update servers were isolated and taken offline for over eight hours. MicroWorld Technologies issued an advisory on 2026-01-22, releasing a patch to reverse the malicious changes and advising impacted organizations to contact them.
Kaspersky's telemetry indicated hundreds of attempted infections, primarily in India, Bangladesh, Sri Lanka, and the Philippines. The method by which attackers accessed the regional update server configuration remains unknown.
