SECURITY researchers from Morphisec revealed a major supply chain compromise affecting MicroWorld Technologies’ eScan antivirus, with attackers hijacking the update infrastructure on 20 January 2026 to push a trojanised patch directly to customers. Instead of receiving genuine virus definitions, thousands of endpoints downloaded the malicious package, which replaced the 32-bit Reload[.]exe component to spark a multi‑stage infection that then dropped a secondary downloader named CONSCTLX[.]exe.
The malware actively dismantles the antivirus by tampering with the eScan registry, files and update configuration to prevent updates and proper function, and by modifying the hosts file to block eScan’s update servers. Morphisec’s findings also describe indicators such as random GUIDs in registry keys, unexpected scheduled tasks, and network activity to certain C2 domains, which administrators should monitor.
The vendor reportedly isolated the affected infrastructure within an hour of detection and took the global update system offline for over eight hours to contain the breach, with remediation requiring hands-on repair for already infected machines. According to Morphisec, automatic remediation is not possible for compromised systems.