eScan AV supply chain compromise: Users targeted with malicious updates

The update infrastructure for eScan antivirus, a product of Indian cybersecurity company MicroWorld Technologies, has been compromised by unknown attackers to deliver a persistent downloader to enterprise and consumer endpoints.

The supply chain compromise also resulted in the eScan antivirus on those endpoints to stop working as intended, since the trojanized eScan update tampered with the solution’s registry, files and update configuration to block remote updates, Morphisec researchers revealed on Thursday.

MicroWorld’s incident response

It’s unknown when the updated infrastructure was compromised, but the malicious update package was distributed on January 20, 2026.

Morphisec flagged the malicious update and contacted MicroWorld Technologies, who said that they had detected the incident via internal monitoring and reacted quickly: they “isolated [the] affected infrastructure within 1 hour, and took global update system offline for 8+ hours.”

MicroWorld told Bleeping Computer that the compromised update server delivered the malicious eScan update for approximately two hours, and that it has since been rebuilt. The company also rotated authentication credentials and developed a patch.

Since the malicious update made the remote updating of the solution impossible, some of the affected organizations and individuals had to contact MicroWorld directly to obtain the patch, and to implement it manually themselves.

Advice for affected organizations

The trojanized eScan component (Reload.exe) was signed, and triggered the running of a downloader that connected to attacker-operated C2 infrastructure for additional payloads, tampered with hosts file and eScan registry to block remote updates for the antivirus, and implemented persistence mechanisms.

Another, persistent downloader (ConsCtl.exe) was also dropped by the trojanized eScan update, and it may have downloaded additional malware on computers that relied on eScan to prevent infections.

Morphisec’s advice for those users is to assume compromise, isolate the system(s), and investigate whether they’ve been saddled with the trojanized eScan update.

The company advises security defenders to look for malicious files, unexpected scheduled tasks, suspicious GUID-named keys in the registry, and entries blocking eScan domains in the hosts file.

“Block C2 domains at network perimeter and review eScan update logs for activity on January 20, 2026,” they urged, and shared indicators of compromise that they should look for.

“Conduct forensic analysis to determine if [the persistent] downloader was deployed. Reset credentials for any accounts accessed from affected systems. Contact eScan directly to obtain the manual update/patch,” they also counseled.

Morphisec says that all of their customers running eScan were targeted by this attack, while MicroWorld claims only a small subset of its customers received the malicious update.

Incidentally, this is not the first time that eScan users were targeted with malware: in 2024, attackers exploited a vulnerability in the antivirus program to sideload the GuptiMiner backdoor and the XMRig crypto miner onto organizations’ computers.

Help Net Security has reached out to both companies for more information about other malware that may have been downloaded during this latest attack and on how the compromise of the eScan updating infrastructure happened. We’ll update this article if we hear back from them.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!