eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware: What You Need to Know

The cybersecurity world has been shaken by another alarming supply chain attack targeting the core infrastructure that organizations trust to protect them. The update infrastructure for eScan antivirus, a security solution developed by Indian cybersecurity company MicroWorld Technologies, has been compromised by unknown attackers to deliver a persistent downloader to enterprise and consumer systems.

This incident represents a particularly concerning development in the ever evolving landscape of cyber threats. “Notably, it is quite unique to see malware being deployed through a security solution update,” noted security researchers. “Supply chain attacks are a rare occurrence in general, let alone the ones orchestrated through antivirus products.”

MicroWorld Technologies’ eScan antivirus platform fell victim to a sophisticated supply chain attack on January 20, 2026, when threat actors compromised legitimate update infrastructure to distribute multi-stage malware to enterprise and consumer endpoints worldwide. This article provides a comprehensive analysis of the attack, its implications, and actionable steps you can take to protect your organization and personal devices.

Understanding the eScan Supply Chain Attack

What Happened: Timeline of the Breach

On January 20, 2026, Morphisec identified an active supply chain compromise affecting MicroWorld Technologies’ eScan antivirus product. Malicious updates were distributed through eScan’s legitimate update infrastructure, resulting in the deployment of multi-stage malware to enterprise and consumer endpoints globally.

The file was delivered to customers who downloaded updates from the regional update cluster during a two-hour window on January 20, 2026. According to eScan, the company detected the issue internally on January 20 through monitoring and customer reports, isolated the affected infrastructure within hours, and issued a security advisory on January 21.

Security researchers immediately alerted the vendor, which isolated the affected infrastructure within one hour and took its global update system offline for over eight hours.

How the Attack Was Executed

In its advisory, eScan classified the incident as an update infrastructure access incident, stating that unauthorized access to a regional update server configuration allowed an unauthorized file to be placed in the update distribution path.

At the request of the BleepingComputer information portal, eScan developers explained that the attackers managed to gain access to one of the regional update servers and deploy a malicious file, which was automatically delivered to customers. They emphasize that this is not a vulnerability; the incident is classified as unauthorized access to infrastructure.

The security outfit also noted that the attackers had to have studied the internals of eScan in detail to understand how its update mechanism worked and how it could be tampered with to distribute malicious updates. It’s currently not known how the threat actors managed to secure access to the update server.

Geographical Impact and Affected Systems

Telemetry data has identified hundreds of affected machines, primarily located in India, Bangladesh, Sri Lanka, and the Philippines. The sophistication of the attack suggests the actors conducted a detailed study of eScan’s internal update mechanisms prior to the breach.

The primary victims of this campaign were eScan Antivirus customers in South Asia, including both private individuals and organizations. Both individual users and organizations were affected, with no evidence of sector-specific targeting.

Technical Analysis of the Multi-Stage Malware

Stage 1: The Trojanized eScan Update

According to details shared by Kaspersky, “Reload.exe,” a legitimate file located in “C:\Program Files (x86)\escan\reload.exe,” is replaced with a rogue counterpart that can prevent further antivirus product updates by modifying the HOSTS file. It’s signed with a fake, invalid digital signature.

While the modified Reload.exe is signed with what appears to be eScan’s code-signing certificate, both Windows and VirusTotal show the signature as invalid. According to Morphisec, the Reload.exe file was used to enable persistence, execute commands, modify the Windows HOSTS file to prevent remote updates, and connect to the C2 infrastructure to download further payloads.

Stage 2: Downloader Deployment and Persistence Mechanisms

According to security analysis from Morphisec, the compromise deployed a three-stage attack architecture designed for persistence and defense evasion.

The malware also ensured its persistence in the system, communicated with command-and-control servers, and downloaded additional malicious payloads. Persistence was achieved by creating scheduled tasks; one example of such a malicious task is named “CorelDefrag”. Additionally, the consctlx.exe malicious file was written to the disk during the infection.

The primary binary functions as a loader for three specific Base64-encoded PowerShell payloads. These payloads perform distinct functions: Antivirus Tampering: The first script modifies the local eScan installation to prevent it from receiving legitimate future updates. Defensive Bypass: The second payload focuses on neutralizing the Windows AMSI, allowing the third stage to execute without signature-based detection. Victim Validation and Payload Fetching: The third script executes a validation routine, scanning for security products like Kaspersky to avoid analysis in sandboxed environments. If the validation check passes, the malware initiates a connection to an external command-and-control (C2) server.

Stage 3: Advanced Evasion Techniques

The victim validation step examines the list of installed software, running processes, and services against a hard-coded blocklist that includes analysis tools and security solutions, including those from Kaspersky. If they are detected, no further payloads are delivered.

The PowerShell payload, once executed, contacts an external server to receive two payloads in return: “CONSCTLX.exe” and a second PowerShell-based malware that’s launched by means of a scheduled task. It’s worth noting that the first of the three aforementioned PowerShell scripts also replaces the “C:\Program Files (x86)\eScan\CONSCTLX.exe” component with the malicious file.

Maintaining Stealth and Blocking Updates

To maintain the illusion of a functional system, the malware updates the Eupdate.ini file, setting the “last update” time to the current date and time. This prevents the user or system administrator from noticing a lack of legitimate updates.

The trojanized eScan component (Reload.exe) was signed, and triggered the running of a downloader that connected to attacker-operated C2 infrastructure for additional payloads, tampered with hosts file and eScan registry to block remote updates for the antivirus, and implemented persistence mechanisms. The supply chain compromise also resulted in the eScan antivirus on those endpoints to stop working as intended, since the trojanized eScan update tampered with the solution’s registry, files and update configuration to block remote updates.

Fallback Mechanisms for Sustained Access

An interesting fact about the implants deployed is that they implement fallback methods of performing malicious operations. For example, if the scheduled task that launches the PowerShell payload is deleted, it will still be launched by the CONSCTLX.exe file. In addition, if the C2 servers used by the PowerShell payload are identified and blocked, attackers will be still able to deploy shellcodes to the infected machine through CONSCTLX.exe.

Historical Context: eScan’s Previous Security Incident

The 2024 GuptiMiner Campaign

Incidentally, this is not the first time that eScan users were targeted with malware: in 2024, attackers exploited a vulnerability in the antivirus program to sideload the GuptiMiner backdoor and the XMRig crypto miner onto organizations’ computers.

A new malware campaign has been exploiting the updating mechanism of the eScan antivirus software to distribute backdoors and cryptocurrency miners like XMRig through a long-standing threat codenamed GuptiMiner targeting large corporate networks.

What sets GuptiMiner apart is its sophistication and the strategic timing of its payload deployments, often during system shutdowns when defenses are low and monitoring decreases. This campaign, executed by an as-yet-unidentified threat actor, seems to have possible ties to Kimsuky, a notorious APT group emanating from North Korea.

Researchers describe GuptiMiner as “a highly sophisticated threat” that can perform DNS requests to the attacker’s DNS servers, extract payloads from images, sign its payloads, and perform DLL sideloading.

eScan acknowledged the flaw and addressed it on July 31, 2023. The issue in the update mechanism was present for at least five years.

Why Antivirus Supply Chain Attacks Are Particularly Dangerous

The Paradox of Trusted Security Software

Notably, it is quite unique to see malware being deployed through a security solution update. Supply chain attacks are a rare occurrence in general, let alone ones orchestrated through antivirus products. Based on the analysis of the identified implants, we can conclude that this attack was prepared thoroughly, as to orchestrate it, attackers had to: Get access to the security solution update server. Study the internals of the eScan product to learn how its update mechanism works, as well as how to potentially tamper with this product. Develop unique implants, tailored to the supply chain attack.

Organizations are uniquely vulnerable to software supply chain attacks for two major reasons: first, many third-party software products require privileged access; and second, many third-party software products require frequent communication between a vendor’s network and the vendor’s software. Many common, third-party software products require elevated system privileges to operate effectively; this includes products like antivirus, IT management, and remote access software.

The Challenge of Trust Relationships

In a supply chain attack, an attacker might target a cybersecurity vendor and add malicious code to their software, which is then sent out in a system update to that vendor’s clients. When the clients download the update, believing it to be from a trusted source, the malware grants attackers access to those clients’ systems and information. (This is essentially how the SolarWinds attack was carried out against 18,000 customers in 2020.)

Supply chain attacks are an emerging threat that target software developers and suppliers. The goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware. Attackers hunt for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices. They break in, change source codes, and hide malware in build and update processes. Because software is built and released by trusted vendors, these apps and updates are signed and certified. In software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious code when they’re released to the public. The malicious code then runs with the same trust and permissions as the app.

Threat Actor Attribution and Motivations

Unknown Attackers with Advanced Capabilities

The actors behind the eScan Antivirus supply chain attack have not been publicly attributed to any known Advanced Persistent Threat (APT) group as of this writing. However, the technical sophistication of the operation, demonstrated by the compromise of a regional update server, the use of a fake code-signing certificate, and the deployment of multi-stage, obfuscated payloads, suggests a well-resourced and highly skilled adversary. The attackers exhibited deep knowledge of eScan’s internal architecture and update mechanisms, as well as a clear intent to evade detection by both endpoint security solutions and human analysts. The campaign’s focus on South Asian targets, combined with the infrastructure and TTPs (Tactics, Techniques, and Procedures) observed, is consistent with the operational patterns of state-sponsored or highly organized cybercriminal groups, though definitive attribution remains pending.

Potential Nation-State Connections

Nation-state actors continue sponsoring and conducting ransomware operations as part of broader cyber warfare strategies. Russia maintains extensive relationships with criminal groups, providing protection from prosecution in exchange for intelligence sharing and selective targeting. China, Russia, North Korea and Iran all maintain offensive cyber capabilities that sometimes blur the lines between state-sponsored operations and criminal activities. While nation-state operations typically pursue espionage or disruption rather than direct financial gain, the technical infrastructure and tactics often overlap with purely criminal ransomware campaigns.

Remediation Steps for Affected Users

Critical: Manual Intervention Required

CRITICAL: The malicious payload tampers with eScan registry, files and update configuration to prevent updates and proper function of the AV. Automatic remediation is therefore not possible for compromised systems. Impacted organizations and individuals must proactively contact eScan to obtain the manual update/patch.

Since the malicious update made the remote updating of the solution impossible, some of the affected organizations and individuals had to contact MicroWorld directly to obtain the patch, and to implement it manually themselves.

eScan’s Response and Available Tools

To resolve the issue, eScan released a utility that users can obtain by contacting the company’s technical support team. The tool was designed to clean the infection, roll back malicious system modifications, and restore eScan’s normal functionality.

MicroWorld told Bleeping Computer that the compromised update server delivered the malicious eScan update for approximately two hours, and that it has since been rebuilt. The company also rotated authentication credentials and developed a patch.

Detection and Investigation Recommendations

To detect infection, it is recommended to review scheduled tasks for traces of malware, check the %WinDir%\System32\drivers\etc\hosts file for blocked eScan domains, and review the eScan update logs for January 20.

Morphisec’s advice for those users is to assume compromise, isolate the system(s), and investigate whether they’ve been saddled with the trojanized eScan update. The company advises security defenders to look for malicious files, unexpected scheduled tasks, suspicious GUID-named keys in the registry, and entries blocking eScan domains in the hosts file.

Assume compromise and conduct full forensic investigation. IMPORTANT: Affected organizations may need to proactively contact eScan to receive remediation assistance. We strongly encourage eScan customers to reach out directly rather than waiting to be contacted.

The Broader Cybersecurity Landscape in 2026

Supply Chain Attacks: A Growing Threat

Ransomware and supply chain attacks soared in 2025, and persistently elevated attack levels suggest that the global threat landscape will remain perilous heading into 2026.

Chief information security officers (CISOs) remain concerned about ransomware and supply chain resilience.

Supply chain attacks are intensifying as dependencies extend into AI stacks, where machine identities and data flows become prime targets. Vendor concentration amplifies systemic risk, while recent breaches highlight Identity and Access Management gaps in cloud ecosystems. To counter these threats, organizations must adopt zero trust architectures, enforce continuous monitoring, and invest in post-quantum cryptography to safeguard operational resilience across interconnected supply chains.

AI’s Role in Cybersecurity Threats

AI is anticipated to be the most significant driver of change in cybersecurity in the year ahead, according to 94% of survey respondents. At the same time, AI vulnerabilities are accelerating at an unprecedented pace: 87% of respondents identified AI-related vulnerabilities as the fastest-growing cyber risk over the course of 2025.

But this rapid embrace of AI brings growing concerns over whether companies have created the proper guardrails and governance structures to ensure their AI programs are secure and cannot be used by malicious actors to exfiltrate corporate data, exploit customers or compromise supply chains. “There is a gap between how fast organizations are adopting AI and the maturity of their governance framework,” Morgan Adamski, cyber, data and tech risk deputy leader at PwC told Cybersecurity Dive.

Operational Resilience: The New Imperative

During much of 2025, companies around the globe were forced to confront a significant shift in cyber resilience. Cyber threat groups were no longer focused just on the exfiltration of data as their main objective, but instead on causing massive disruption to business operations. A social engineering attack on UK department store Marks & Spencer, the hack of United Natural Foods and a crippling hack of automaker Jaguar Land Rover served as graphic examples in 2025 of how easily a successful cyberattack can disrupt production capacity, as well as major supply chains.

How to Protect Against Supply Chain Attacks

Implementing Zero Trust Architecture

Implement Zero Trust: Zero Trust ensures that every user, from employees to contractors and vendors, is subject to continuous validation and monitoring inside an organization’s network. Verifying user and device identity and privileges helps ensure that attackers cannot infiltrate an organization simply by stealing legitimate user credentials.

An assume breach mindset naturally leads to the implementation of a Zero Trust Architecture. As the name suggests, with an Assume Breach mentality, an organization assumes that a data breach will happen, as opposed to hoping it won’t happen. This subtle shift in mindset encourages the deployment of active cyber defense strategies across all vulnerable attack vectors in an organization.

Third-Party Risk Management

Run a third-party risk assessment: This may include testing third-party software prior to deployment, requiring vendors to adhere to specific security policies, implementing Content Security Policies (CSP) to control which resources a browser can run, or using Subresource Integrity (SRI) to check JavaScript for suspicious content.

Ultimately, your supply chain security is only as strong as that of the weakest member of your supply chain. This means your strategy has to include third-party risk management practices, like ongoing vendor management and monitoring and regular risk assessments and audits.

Endpoint Detection and Response

Supply chain cyberattacks often take advantage of inadequately secured endpoints. With an endpoint detection and response (EDR) system, many types of supply chain attacks can be stopped because the endpoint itself is protected against infection.

Deploy strong code integrity policies to allow only authorized apps to run. Use endpoint detection and response solutions that can automatically detect and remediate suspicious activities. Maintain a highly secure build and update infrastructure.

Best Practices for Security Teams

The significant supply chain and ransomware threats facing security teams as we enter 2026 require a renewed focus on cybersecurity best practices that can help protect against a wide range of cyber threats. These practices include: Prioritizing vulnerabilities based on risk. Protecting web-facing assets. Segmenting networks and critical assets. Hardening endpoints and infrastructure. Strong access controls, allowing no more access than is required, with frequent verification. A strong source of user identity and authentication, including multi-factor authentication and biometrics, as well as machine authentication with device compliance and health checks. Encryption of data at rest and in transit. Ransomware-resistant backups that are immutable, air-gapped, and isolated as much as possible. Honeypots that lure attackers to fake assets for early breach detection.

Dependency Management

Security researcher William Woodruff demonstrates that waiting 7-14 days after a package release before accepting it as a dependency prevents the majority of supply chain attacks. Dependency cooldowns can help work because security vendors like Socket, Aikido, and others continuously scan registries with proactive malware detection. Detection happens through automated analysis of package behavior, code patterns, and anomalies.

Key Indicators of Compromise (IOCs)

Security researchers have identified several command and control servers associated with this campaign. Organizations should monitor network traffic for connections to these malicious infrastructure points and block them at the firewall level.

The malicious file was distributed with a fake, invalid digital signature. According to the developers, the infrastructure affected by the incident was quickly isolated, and all access credentials were reset.

Look for the following signs of compromise:

1. Modified hosts file blocking eScan update domains
2. Unexpected scheduled tasks, particularly one named “CorelDefrag”
3. Suspicious GUID-named keys in the registry
4. The presence of consctlx.exe in unusual locations
5. Modified Eupdate.ini files with artificially updated timestamps

Lessons Learned and Future Outlook

The Importance of Rapid Detection

One lucky thing about this attack is that it was contained in quite a short period of time. As security solutions have a high level of trust within the operating system, attackers can use a variety of creative ways to orchestrate the infection, for example by using kernel-mode implants. However, in the attack we saw, they relied on user-mode components and commonly observed infection techniques, such as using scheduled tasks for persistence. This factor, in our opinion, made this supply chain attack easy to detect.

Vendor Response and Transparency

“We provided comprehensive support to all affected customers and implemented enhanced security measures to prevent recurrence. We are concerned that some third-party reports contain multiple demonstrably false technical claims that we have documented in detail. We stand behind the accuracy of our incident response and the integrity of our products,” eScan said.

What This Means for Antivirus Users

The eScan incident underscores a fundamental challenge in cybersecurity: the tools designed to protect us can themselves become attack vectors. This attack demonstrates the evolving threat landscape, where even trusted security vendors can become unwitting vectors for advanced malware.

The implications of such an attack are far-reaching. Beyond the immediate impact on affected systems, this exploit undermines trust in the security measures that individuals and organizations rely upon.

Staying Vigilant in an Era of Supply Chain Threats

The eScan antivirus supply chain attack serves as a stark reminder that no security solution is immune to compromise. As cyber threat actors continue to develop increasingly sophisticated methods for infiltrating trusted software ecosystems, organizations must adopt a multi-layered approach to security that includes:

1. Defense in Depth: Never rely on a single security solution
2. Continuous Monitoring: Implement real-time threat detection across all endpoints
3. Vendor Risk Management: Regularly assess the security posture of software providers
4. Incident Response Planning: Develop and test procedures for supply chain compromise scenarios
5. Employee Awareness: Train staff to recognize signs of compromise even from trusted sources

Cybersecurity trends in 2026 demand proactive, layered defenses. Organizations must adopt anticipatory AI for predictive threat modeling, coupled with continuous monitoring and micro-segmentation to minimize attack surfaces. Strengthening Identity and Access Management (IAM) roadmaps is critical, integrating passwordless multi-factor authentication, automated credential rotation, and governance for machine identities. Employee training remains a cornerstone against social engineering and insider threats, while supply chain audits help mitigate risks across interconnected ecosystems. Finally, building operational resilience requires public-private collaboration, enabling intelligence sharing and coordinated incident response. These strategies, combined with ZTNA principles, position cybersecurity teams to counter evolving threats and maintain business continuity.

The threat landscape continues to evolve, and supply chain attacks represent one of the most challenging security threats facing organizations today. By staying informed, implementing robust security practices, and maintaining vigilance, organizations can better protect themselves against these sophisticated attacks.