MicroWorld Technologies’ eScan antivirus platform fell victim to a sophisticated supply chain attack on January 20, 2026, when threat actors compromised legitimate update infrastructure to distribute multi-stage malware to enterprise and consumer endpoints worldwide.
Security researchers immediately alerted the vendor, which isolated the affected infrastructure within one hour and took its global update system offline for over eight hours.
However, the attack’s critical nature where malicious payloads deliberately disable eScan’s functionality and block automatic updates means thousands of users cannot remediate through standard patching processes and must contact eScan directly for manual intervention.
Attack Methodology and Payload Chain
According to Morphisec, the compromise deployed a three-stage attack architecture designed for persistence and defense evasion.
The initial trojanized eScan component replaces Reload.exe with malicious code that drops CONSCTLX.exe, a 64-bit persistent downloader capable of executing arbitrary PowerShell commands and maintaining command-and-control communications.
The second stage establishes persistence through scheduled tasks disguised within WindowsDefrag directories using naming patterns like “CorelDefrag,” while simultaneously tampering with hosts files and eScan registry settings to prevent legitimate updates and block security communications.
The attack’s sophistication lies in its anti-remediation capabilities. By deliberately corrupting eScan’s update mechanism and registry configurations, threat actors ensured that standard automatic patching would fail, forcing organizations into reactive manual remediation workflows.
This strategic design choice significantly extends the attack window and increases the likelihood of successful lateral movement or secondary payload deployment before remediation occurs.
Organizations must immediately search for the primary trojanized Reload.exe file using SHA-256 hash 36ef2ec9ada035c56644f677dab65946798575e1d8b14f1365f22d7c68269860, supplemented by scanning for two additional related samples observed on VirusTotal.
Detection teams should prioritize registry searches for suspicious GUID-named keys under HKLMSoftware containing encoded byte array data, review WindowsDefrag scheduled tasks for unexpected entries, and inspect hosts files for entries blocking eScan update infrastructure.
Network security teams must block identified C2 domains including vhs.delrosal.net, tumama.hns.to, blackice.sol-domain.org, and codegiant.io, along with IP 185.241.208.115.
eScan released patches to restore functionality, but affected systems require manual intervention before standard updates can reinstall.
Indicators of Compromise (IOCs) – eScan Supply Chain Attack
Stage 1: Trojanized eScan Component
| Component | Details | Hash/Value |
|---|---|---|
| Affected File | Reload.exe (32-bit) | Primary malicious payload |
| Primary Hash (SHA-256) | 36ef2ec9ada035c56644f677dab65946798575e1d8b14f1365f22d7c68269860 | Observed delivered payload |
| Related Sample 1 | VirusTotal submission | 674943387cc7e0fd18d0d6278e6e4f7a0f3059ee6ef94e0976fae6954ffd40dd |
| Related Sample 2 | VirusTotal submission | 386a16926aff225abc31f73e8e040ac0c53fb093e7daf3fbd6903c157d88958c |
| Code Signing Certificate Issuer | eScan (Microworld Technologies Inc.) | Legitimate certificate misused |
| Certificate Thumbprint | 76B0D9D51537DA06707AFA97B4AE981ED6D03483 | For validation purposes |
Stage 2: Command & Control Infrastructure
| C2 Domain/IP | Status | Type |
|---|---|---|
| hxxps[://]vhs[.]delrosal[.]net/i | Unconfirmed | Domain (Defanged) |
| hxxps[://]tumama[.]hns[.]to | Unconfirmed | Domain (Defanged) |
| hxxps[://]blackice[.]sol-domain[.]org | Unconfirmed | Domain (Defanged) |
| hxxps[://]codegiant[.]io/dd/dd/dd[.]git/download/main/middleware[.]ts | Unconfirmed | Domain Path (Defanged) |
| 504e1a42.host.njalla.net | Unconfirmed | Subdomain |
| 185.241.208.115 | Unconfirmed | IP Address |
Stage 3: Persistent Downloader
| Filename | SHA-256 Hash |
|---|---|
| CONSCTLX.exe (64-bit) | bec369597633eac7cc27a698288e4ae8d12bdd9b01946e73a28e1423b17252b1 |
Persistence Mechanisms
| Persistence Type | Location/Key | Details |
|---|---|---|
| Scheduled Tasks | C:WindowsDefrag | Pattern: WindowsDefrag |
| Task Example | WindowsDefragCorelDefrag | Observed variant |
| Registry Persistence | HKLMSoftware | Encoded PowerShell payload (byte array) |
| Hosts File Tampering | C:WindowsSystem32driversetchosts | Blocks eScan update servers |
| eScan Registry Tampering | eScan product configuration keys | Disables legitimate updates |
| Directory Marker | programdataefirst | Sometimes generated as marking indicator |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
