Trusted Update Turned Weapon: The eScan Supply Chain Attack

Published Date: January 29, 2026
Category: ShadowOpsIntel
Share:

In January 2026, a critical supply chain compromise was uncovered impacting MicroWorld Technologies’ eScan antivirus product. Attackers abused eScan’s legitimate update infrastructure to distribute a trojanized update, resulting in the installation of multi-stage malware on systems worldwide. The attack was particularly severe because it disabled eScan’s own update and remediation mechanisms, forcing affected organizations to rely on manual recovery.

Severity: High

Incident Background

On January 20, 2026, Morphisec identified malicious activity originating from an official eScan update. The update channel normally trusted to deliver security fixes was weaponized to push a compromised binary to both enterprise and consumer endpoints globally. Because the payload was digitally signed with a legitimate eScan certificate, it bypassed traditional trust checks and security controls.

Attack Chain And Technical Details

The compromise followed a multi-stage attack chain:

  1. Stage 1 – Trojanized Update
    • The legitimate Reload.exe (32-bit) updater was replaced with a malicious version.
    • This binary was signed using an authentic eScan code-signing certificate, increasing its success rate.
    • Its primary role was to establish initial execution and deploy the next stage.
  2. Stage 2 – Downloader and Defense Evasion
    • The malware created scheduled tasks under Windows\Defrag\ for persistence.
    • It executed PowerShell payloads, modified the hosts file, and altered eScan registry settings to block legitimate update servers.
    • These actions ensured that eScan could not self-update or remediate the infection.
    • The malware then connected to external command-and-control (C2) infrastructure to retrieve additional payloads.
  3. Stage 3 – Persistent Downloader
    • A 64-bit component (CONSCTLX.exe) was deployed to maintain long-term access.
    • Persistence was reinforced through registry keys with randomly generated GUIDs containing encoded PowerShell data. This stage enabled continued attacker control and potential follow-on activity.

Recommendations

  1. Enterprises and consumers using eScan Antivirus should perform scans for known malicious files particularly: Trojanized Reload.exe and Persistent downloader CONSCTLX.exe
  2. Inspect scheduled tasks under C:\Windows\Defrag\ for anomalous or non-standard task names.
  3. Hunt for registry persistence via GUID-named keys under HKLM\Software\ containing encoded PowerShell payloads.
  4. Contact MicroWorld Technologies (eScan) directly to obtain the official manual patch.
  5. Validate and restore:
    Hosts file entries (remove blocks on eScan update servers)
    eScan registry and configuration settings
  6. Reset credentials for any users or service accounts that logged into or were used on affected systems.
  7. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/ab5979dd1041fa4967733a3179e6049ddae38a2f7885697165d15fbb8b67900d/iocs

Source:

  • https://www.morphisec.com/blog/critical-escan-threat-bulletin/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Talk to an expert