eScan Antivirus Update Server Hacked to Push Malicious Update packages
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A critical supply chain compromise affecting MicroWorld Technologies\u2019 eScan antivirus product, wherein threat actors successfully hijacked the vendor\u2019s legitimate update infrastructure to distribute malware.<\/p>\n
Discovered on January 20, 2026, by Morphisec, the attack utilized a trojanized update package to deploy multi-stage malware across enterprise and consumer endpoints globally. <\/p>\n
The incident renders the antivirus software ineffective and specifically tampers with system configurations to prevent automatic remediation.<\/p>\n
The compromise was initiated through a malicious update pushed directly via eScan\u2019s official channels. The attack chain begins with \u201cStage 1,\u201d where a trojanized component replaces the legitimate\u00a0 Morphisec observed<\/a> that the malicious executable is digitally signed with a valid certificate belonging to \u201ceScan (Microworld Technologies Inc.),\u201d allowing it to bypass standard trust verifications.<\/p>\n Once executed, this payload drops a \u201cStage 3\u201d downloader identified as\u00a0 This stage is particularly aggressive, employing PowerShell execution and tampering with the Windows Registry<\/a> to disable security features.<\/p>\n The malware connects to Command and Control (C2)<\/a> infrastructure to retrieve additional payloads, effectively turning the security tool into a gateway for further compromise.<\/p>\n A defining characteristic of this campaign is its focus on \u201canti-remediation.\u201d The malware actively modifies the infected system\u2019s\u00a0 Furthermore, it alters specific eScan registry keys and configuration files to break the antivirus\u2019s update mechanism permanently. <\/p>\n Consequently, infected systems cannot receive automatic patches or definitions, leaving them vulnerable even after the vendor restores their infrastructure.<\/p>\n Persistence is achieved through the creation of deceptive Scheduled Tasks located in\u00a0 Additionally, registry persistence is established under\u00a0 Organizations utilizing eScan antivirus are urged to scan their environments immediately for the following indicators. <\/p>\n Note that automatic remediation is not possible; the presence of these files indicates a compromise requiring manual intervention.<\/p>\n Network administrators should block egress traffic to the following domains, which have been identified as part of the attacker\u2019s command and control infrastructure.<\/p>\n Because the malware effectively breaks the update mechanism of the antivirus software, automatic updates will fail on compromised machines. <\/p>\n eScan has reportedly taken the global update system offline for over eight hours to isolate the infrastructure, but this does not clean already infected endpoints.<\/p>\n Administrators must assume compromise for systems running eScan that were active on or after January 20, 2026. <\/p>\n Immediate steps include verifying the\u00a0 Affected organizations must contact MicroWorld Technologies (eScan) directly to obtain a specialized manual patch designed to revert the configuration changes and restore the updater\u2019s functionality. <\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post eScan Antivirus Update Server Hacked to Push Malicious Update packages<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nReload.exe<\/code>\u00a0(32-bit) binary. <\/p>\nCONSCTLX.exe<\/code>. Following the initial breach, a \u201cStage 2\u201d downloader establishes persistence and executes defense evasion maneuvers.<\/p>\nhosts<\/code>\u00a0file to block communication with eScan\u2019s update servers. <\/p>\nC:WindowsDefrag<\/code>. The malware generates tasks using a naming pattern that mimics legitimate system processes, such as\u00a0WindowsDefragCorelDefrag<\/code>. <\/p>\nHKLMSoftware<\/code>\u00a0using randomly generated GUID keys containing encoded PowerShell payloads.<\/p>\nIndicators of Compromise (IOCs)<\/strong><\/h2>\n
\n\n
\n \nComponent Description<\/th>\n Filename<\/th>\n SHA-256 Hash<\/th>\n<\/tr>\n<\/thead>\n \n \nStage 1 Payload<\/strong>\u00a0(Trojanized Update)<\/td>\n Reload[.]exe (32-bit)<\/td>\n 36ef2ec9ada035c56644f677dab65946798575e1d8b14f1365f22d7c68269860<\/td>\n<\/tr>\n \n Stage 3 Downloader<\/strong><\/td>\n CONSCTLX[.]exe (64-bit)<\/td>\n bec369597633eac7cc27a698288e4ae8d12bdd9b01946e73a28e1423b17252b1<\/td>\n<\/tr>\n \n Related Sample<\/strong><\/td>\n N\/A<\/td>\n 674943387cc7e0fd18d0d6278e6e4f7a0f3059ee6ef94e0976fae6954ffd40dd<\/td>\n<\/tr>\n \n Related Sample<\/strong><\/td>\n N\/A<\/td>\n 386a16926aff225abc31f73e8e040ac0c53fb093e7daf3fbd6903c157d88958c<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n Network Indicators and C2 Infrastructure<\/strong><\/h2>\n
\n\n
\n \nDomain \/ IP<\/th>\n Context<\/th>\n<\/tr>\n<\/thead>\n \n hxxps[:\/\/]vhs[.]delrosal[.]net\/i<\/td>\n C2 Infrastructure<\/td>\n<\/tr>\n \n hxxps[:\/\/]tumama[.]hns[.]to<\/td>\n C2 Infrastructure<\/td>\n<\/tr>\n \n hxxps[:\/\/]blackice[.]sol-domain[.]org<\/td>\n C2 Infrastructure<\/td>\n<\/tr>\n \n 504e1a42.host.njalla.net<\/td>\n Malicious Host<\/td>\n<\/tr>\n \n 185.241.208[.]115<\/td>\n Malicious IP<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n Remediation and Mitigation Measures<\/strong><\/h2>\n
hosts<\/code>\u00a0file for entries blocking eScan domains and inspecting the registry for suspicious GUID keys containing byte array data. <\/p>\n