THE update infrastructure for eScan antivirus was compromised by unknown attackers to deliver a persistent downloader and multi‑stage malware to enterprise and consumer endpoints worldwide, according to the advisory cited by Morphisec researcher Michael Gorelik.
MicroWorld Technologies said it detected unauthorized access to its infrastructure and immediately isolated the impacted update servers, which remained offline for over eight hours, and it has since released a patch that reverts the changes introduced by the malicious update.
The attack is described as stemming from unauthorized access to one regional update server configuration, enabling the delivery of a corrupt update during a two‑hour window on 20 January 2026, with MicroWorld issuing further details in an advisory on 22 January 2026.
The incident involved a rogue Reload[.]exe that replaces the legitimate file in C:\Program Files (x86)\eScan with one that can drop a downloader, establish persistence, block remote updates, and contact an external server for additional payloads such as CONSCTLX[.]exe. Kaspersky analysis noted hundreds of machines, across India, Bangladesh, Sri Lanka and the Philippines, encountered infection attempts related to this supply‑chain style attack.
The malicious PowerShell payloads aim to tamper with the installed eScan solution, bypass AMSI, and determine whether to extend infection, with the最终 payloads delivered via a scheduled task.