“Update” to Nightmare: eScan Antivirus Hacked to Distribute Malware

Security researchers at Morphisec have uncovered a massive compromise affecting eScan, an enterprise antivirus solution developed by MicroWorld Technologies. On January 20, 2026, attackers successfully hijacked the company’s update infrastructure to push malicious code directly to customers disguised as a routine security patch.

The incident turns the defender into the attacker, leveraging the trusted channel between the antivirus vendor and its clients to bypass defenses.

According to the report, the attack was swift and effective. “On January 20, 2026, Morphisec identified an active supply chain compromise affecting MicroWorld Technologies’ eScan antivirus product,” the researchers stated.

Instead of receiving the latest virus definitions, thousands of endpoints downloaded a trojanized update package. The attackers replaced legitimate components, specifically the 32-bit version of Reload.exe, to initiate a multi-stage infection chain. This compromised executable then dropped a secondary downloader, identified as CONSCTLX.exe, to fetch further payloads.

What makes this attack particularly insidious is how it protects itself. Once installed, the malware doesn’t just run; it actively dismantles the antivirus software meant to stop it.

“The malicious payload tampers with eScan registry, files and update configuration to prevent updates and proper function of the AV,” the report warns.

By modifying the system’s hosts file to block eScan’s update servers and corrupting the registry keys, the malware effectively “bricks” the security software. This ensures that even if MicroWorld Technologies released a fix, the infected machines would be unable to reach the server to download it.

Morphisec’s analysis revealed several distinct markers of the attack. Administrators should look for:

• Suspicious Registry Keys: Randomly generated GUIDs under HKLM\Software\ containing encoded PowerShell payloads.
• Scheduled Tasks: Unexpected entries located in Windows\Defrag\.
• Network Activity: Connections to C2 domains blocked at the perimeter.

Because the malware severs the connection to the update servers, the usual “set it and forget it” remediation strategy will fail.

“Automatic remediation is therefore not possible for compromised systems,” Morphisec emphasizes. “Impacted organizations and individuals must proactively contact eScan to obtain the manual update/patch”.

The vendor, MicroWorld Technologies, reportedly isolated the affected infrastructure within an hour of detection and took their global update system offline for over eight hours to contain the breach. However, for those already infected on the morning of January 20, the damage requires hands-on repair.

Related Posts:

• Microsoft removes the AV compatibility check for the March 2018 Windows security updates
• Morphisec discovered a new watering hole attack based Flash flaw on Leading Hong Kong Telecom Site
• BYOVD Attack: A New AV Killer Exploits a Legitimate Driver to Neutralize Defenses for MedusaLocker Ransomware
• Fake AV software steals device storage information and is actually two variants of Android RAT