• Posted by: Eng. Donya Bino
• February 02, 2026

eScan Antivirus Hit by Supply Chain Attack via Malicious Update

As an unexpected but highly unpleasant twist for end-users of eScan (developed by MicroWorld Technologies of India), a series of updates designed to enhance the system turned into an attack via supply chain on the software. This discovery was made in the last week of January 2026.

The breach hit on January 20, when attackers gained unauthorized access to one of the company's regional update servers. For roughly a two-hour window, systems set to auto-update from that specific cluster pulled down a tampered package. The result: a multi-stage infection chain that replaced legitimate eScan components with malicious ones, disabled the product's ability to get real fixes or detect the intruders, and opened the door for further payloads.

Morphisec spotted the trouble first that same day, blocking it on several customer endpoints and alerting MicroWorld. The company responded swiftly, isolating the affected servers within an hour, taking the global update system offline for over eight hours, rotating credentials, and issuing a remediation patch. They classified it as unauthorized access rather than a software vulnerability, and by January 22 released an advisory urging impacted users to reach out for the fix.

At the heart of the attack was a trojanized version of Reload.exe (normally in C:\Program Files (x86)\escan), a 32-bit component that eScan uses for certain operations. The fake one signed with an invalid or forged certificate employed UnmanagedPowerShell techniques (with added AMSI bypass) to run embedded PowerShell scripts without tripping alarms.

Those scripts handled the dirty work:
Tampered with eScan's files, registry keys, and update configs to block legitimate servers (often by editing the HOSTS file to redirect update domains to dead ends).

Created backups of altered files in hidden folders
Validated the victim environment against a hardcoded blocklist of analysis tools, sandboxes, and competing AVs (including Kaspersky), if any were present, the attack chain stopped short.

Replaced CONSCTLX.exe (another eScan component) with a malicious 64-bit version that faked recent update timestamps in the config file (Eupdate.ini) to keep the UI looking normal, launched scheduled tasks for persistence, and pulled additional PowerShell payloads from attacker-controlled servers.

Kaspersky's analysis showed hundreds of attempted infections, mostly in India, Bangladesh, Sri Lanka, and the Philippines, hitting both individual users and organizations. The attackers clearly invested time studying eScan's internals to manipulate its update flow so precisely.

Supply-chain compromises through security software are rare and particularly galling, your trusted defender becomes the delivery vehicle. This one echoes past incidents like SolarWinds but on a smaller scale, and thankfully contained quickly. No attribution has been made public yet, though the regional focus and technical sophistication suggest a capable actor.

If you're running eScan, check for the patch, scan for known bad files (like the trojanized Reload.exe and CONSCTLX.exe), monitor for unusual network activity or HOSTS changes, and consider layering defenses until things settle. In the meantime, it's a stark reminder: even antivirus vendors aren't immune to being weaponized.

Source: The Hacker News