A critical supply chain compromise affecting MicroWorld Technologies’ eScan antivirus product, wherein threat actors successfully hijacked the vendor’s legitimate update infrastructure to distribute malware.
Discovered on January 20, 2026, by Morphisec, the attack utilized a trojanized update package to deploy multi-stage malware across enterprise and consumer endpoints globally.
The incident renders the antivirus software ineffective and specifically tampers with system configurations to prevent automatic remediation.
Trojanized Update Mechanism and Attack Chain
The compromise was initiated through a malicious update pushed directly via eScan’s official channels. The attack chain begins with “Stage 1,” where a trojanized component replaces the legitimate Reload.exe (32-bit) binary.
Morphisec observed that the malicious executable is digitally signed with a valid certificate belonging to “eScan (Microworld Technologies Inc.),” allowing it to bypass standard trust verifications.
Once executed, this payload drops a “Stage 3” downloader identified as CONSCTLX.exe. Following the initial breach, a “Stage 2” downloader establishes persistence and executes defense evasion maneuvers.
This stage is particularly aggressive, employing PowerShell execution and tampering with the Windows Registry to disable security features.
The malware connects to Command and Control (C2) infrastructure to retrieve additional payloads, effectively turning the security tool into a gateway for further compromise.
A defining characteristic of this campaign is its focus on “anti-remediation.” The malware actively modifies the infected system’s hosts file to block communication with eScan’s update servers.
Furthermore, it alters specific eScan registry keys and configuration files to break the antivirus’s update mechanism permanently.
Consequently, infected systems cannot receive automatic patches or definitions, leaving them vulnerable even after the vendor restores their infrastructure.
Persistence is achieved through the creation of deceptive Scheduled Tasks located in C:WindowsDefrag. The malware generates tasks using a naming pattern that mimics legitimate system processes, such as WindowsDefragCorelDefrag.
Additionally, registry persistence is established under HKLMSoftware using randomly generated GUID keys containing encoded PowerShell payloads.
Indicators of Compromise (IOCs)
Organizations utilizing eScan antivirus are urged to scan their environments immediately for the following indicators.
Note that automatic remediation is not possible; the presence of these files indicates a compromise requiring manual intervention.
| Component Description | Filename | SHA-256 Hash |
|---|---|---|
| Stage 1 Payload (Trojanized Update) | Reload[.]exe (32-bit) | 36ef2ec9ada035c56644f677dab65946798575e1d8b14f1365f22d7c68269860 |
| Stage 3 Downloader | CONSCTLX[.]exe (64-bit) | bec369597633eac7cc27a698288e4ae8d12bdd9b01946e73a28e1423b17252b1 |
| Related Sample | N/A | 674943387cc7e0fd18d0d6278e6e4f7a0f3059ee6ef94e0976fae6954ffd40dd |
| Related Sample | N/A | 386a16926aff225abc31f73e8e040ac0c53fb093e7daf3fbd6903c157d88958c |
Network Indicators and C2 Infrastructure
Network administrators should block egress traffic to the following domains, which have been identified as part of the attacker’s command and control infrastructure.
| Domain / IP | Context |
|---|---|
| hxxps[://]vhs[.]delrosal[.]net/i | C2 Infrastructure |
| hxxps[://]tumama[.]hns[.]to | C2 Infrastructure |
| hxxps[://]blackice[.]sol-domain[.]org | C2 Infrastructure |
| 504e1a42.host.njalla.net | Malicious Host |
| 185.241.208[.]115 | Malicious IP |
Because the malware effectively breaks the update mechanism of the antivirus software, automatic updates will fail on compromised machines.
eScan has reportedly taken the global update system offline for over eight hours to isolate the infrastructure, but this does not clean already infected endpoints.
Administrators must assume compromise for systems running eScan that were active on or after January 20, 2026.
Immediate steps include verifying the hosts file for entries blocking eScan domains and inspecting the registry for suspicious GUID keys containing byte array data.
Affected organizations must contact MicroWorld Technologies (eScan) directly to obtain a specialized manual patch designed to revert the configuration changes and restore the updater’s functionality.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
