Discovered on January 20, 2026, by Morphisec, the attack utilized a trojanized update package to deploy multi-stage malware across enterprise and consumer endpoints globally.
The incident renders the antivirus software ineffective and specifically tampers with system configurations to prevent automatic remediation.
The compromise was initiated through a malicious update pushed directly via eScan’s official channels. The attack chain begins with “Stage 1,” where a trojanized component replaces the legitimate Reload.exe (32-bit) binary.
Morphisec observed that the malicious executable is digitally signed with a valid certificate belonging to “eScan (Microworld Technologies Inc.),” allowing it to bypass standard trust verifications.
Once executed, this payload drops a “Stage 3” downloader identified as CONSCTLX.exe. Following the initial breach, a “Stage 2” downloader establishes persistence and executes defense evasion maneuvers.
This stage is particularly aggressive, employing PowerShell execution and tampering with the Windows Registry to disable security features.
The malware connects to Command and Control (C2) infrastructure to retrieve additional payloads, effectively turning the security tool into a gateway for further compromise.
A defining characteristic of this campaign is its focus on “anti-remediation.” The malware actively modifies the infected system’s hosts file to block communication with eScan’s update servers.
Furthermore, it alters specific eScan registry keys and configuration files to break the antivirus’s update mechanism permanently.
Consequently, infected systems cannot receive automatic patches or definitions, leaving them vulnerable even after the vendor restores their infrastructure.
Persistence is achieved through the creation of deceptive Scheduled Tasks located in C:WindowsDefrag. The malware generates tasks using a naming pattern that mimics legitimate system processes, such as WindowsDefragCorelDefrag.
Additionally, registry persistence is established under HKLMSoftware using randomly generated GUID keys containing encoded PowerShell payloads.
Organizations utilizing eScan antivirus are urged to scan their environments immediately for the following indicators.
Note that automatic remediation is not possible; the presence of these files indicates a compromise requiring manual intervention.
| Component Description | Filename | SHA-256 Hash |
|---|---|---|
| Stage 1 Payload (Trojanized Update) | Reload[.]exe (32-bit) | 36ef2ec9ada035c56644f677dab65946798575e1d8b14f1365f22d7c68269860 |
| Stage 3 Downloader | CONSCTLX[.]exe (64-bit) | bec369597633eac7cc27a698288e4ae8d12bdd9b01946e73a28e1423b17252b1 |
| Related Sample | N/A | 674943387cc7e0fd18d0d6278e6e4f7a0f3059ee6ef94e0976fae6954ffd40dd |
| Related Sample | N/A | 386a16926aff225abc31f73e8e040ac0c53fb093e7daf3fbd6903c157d88958c |
Network administrators should block egress traffic to the following domains, which have been identified as part of the attacker’s command and control infrastructure.
| Domain / IP | Context |
|---|---|
| hxxps[://]vhs[.]delrosal[.]net/i | C2 Infrastructure |
| hxxps[://]tumama[.]hns[.]to | C2 Infrastructure |
| hxxps[://]blackice[.]sol-domain[.]org | C2 Infrastructure |
| 504e1a42.host.njalla.net | Malicious Host |
| 185.241.208[.]115 | Malicious IP |
Because the malware effectively breaks the update mechanism of the antivirus software, automatic updates will fail on compromised machines.
eScan has reportedly taken the global update system offline for over eight hours to isolate the infrastructure, but this does not clean already infected endpoints.
Administrators must assume compromise for systems running eScan that were active on or after January 20, 2026.
Immediate steps include verifying the hosts file for entries blocking eScan domains and inspecting the registry for suspicious GUID keys containing byte array data.
Affected organizations must contact MicroWorld Technologies (eScan) directly to obtain a specialized manual patch designed to revert the configuration changes and restore the updater’s functionality.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post eScan Antivirus Update Server Hacked to Push Malicious Update packages appeared first on Cyber Security News.
Editor’s Note: The Abilene Police Department supplied the following arrest and incident reports. All information…
Senator John Cornyn and Texas Attorney General Ken Paxton will face off in a runoff…
The two young girls found dead inside suitcases that had been buried in shallow graves…
SEVERE WEATHER POSSIBLE: what you need to know
Wake-Up Weather: a CHANCE at severe weather
Today, Google killed its 30 percent app store fee, partially uncoupled Google Play from Google…
This website uses cookies.