Cybercriminals have successfully infiltrated the update servers of eScan antivirus, a product by MicroWorld Technologies. This breach allowed attackers to distribute multi-stage malware through the legitimate update infrastructure, impacting both enterprise and consumer systems globally. The incident highlights the growing threat of supply chain attacks, even targeting security software.

Key Takeaways

• eScan's update servers were compromised, leading to the distribution of malicious updates.

• A multi-stage malware payload was delivered, designed for persistence and evasion.

• The attack primarily affected users in South Asia.

• eScan has released a patch to address the issue, but automatic remediation is not possible on compromised systems.

The Attack Unfolds

On January 20, 2026, attackers gained unauthorized access to a regional eScan update server. This allowed them to distribute a trojanized version of the component. This malicious file was signed with a fake digital signature to bypass initial checks. Upon execution, it performed environment checks and then deployed a series of PowerShell payloads.

Malware Capabilities and Evasion Tactics

The deployed malware was sophisticated, employing several tactics to ensure persistence and evade detection:

• Tampering with eScan: The malware modified eScan's files and registry settings to prevent it from receiving legitimate updates and to disable its ability to detect the malicious components.

• HOSTS File Modification: The HOSTS file was altered to block eScan's update servers, effectively cutting off the antivirus from its developers.

• AMSI Bypass: The malware included a capability to bypass the Windows Antimalware Scan Interface (AMSI), a crucial security feature.

• Persistence Mechanisms: It established persistence through scheduled tasks (e.g., CorelDefrag) and by replacing legitimate components like CONSCTLX.exe with malicious versions.

• Victim Validation: The malware checked for the presence of analysis tools or competing security solutions before proceeding with further infection stages.

Targeted Regions and Impact

While the attack had a global reach, telemetry data indicated that hundreds of machines, belonging to both individuals and organizations, encountered infection attempts primarily in South Asia, specifically India, Bangladesh, Sri Lanka, and the Philippines. The attack vector was indiscriminate, relying on the compromised update server to push the payload to affected users.

Remediation and Response

MicroWorld Technologies confirmed the unauthorized access and immediately isolated the affected update servers, which were offline for over eight hours. The company has since released a patch to revert the malicious changes. However, due to the malware's ability to interfere with the antivirus's functionality, automatic remediation is not possible on compromised systems. Affected users are advised to contact eScan directly to obtain the necessary fix and restore normal operations. Security researchers recommend blocking known command-and-control domains and scanning endpoints for the identified malicious hashes.

As cyber threats continue to evolve, your security strategy needs to evolve with them. BetterWorld Technology delivers adaptive cybersecurity solutions designed to keep your business secure while supporting innovation. Connect with us today to schedule a personalized consultation.

Sources

• eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware, The Hacker News.

• Threat Bulletin: Critical eScan Supply Chain Compromise, Morphisec.

• Malicious Update Delivers Malware to South Asian Users, Rescana.

• eScan Antivirus Delivers Malware in Supply Chain Attack, SecurityWeek.

• eScan supply chain attack: what you should know, Securelist.