eScan AV users targeted with malicious updates

The update infrastructure for eScan antivirus, a product of Indian cybersecurity company MicroWorld Technologies, has been compromised by unknown attackers to deliver a persistent downloader to enterprise and consumer endpoints.

The compromise also resulted in the eScan antivirus on those endpoints to stop working as intended, since the trojanized eScan update tampered with the solution’s registry, files and update configuration to block remote updates, Morphisec researchers said on Thursday.

MicroWorld’s incident response

It’s unknown when the update infrastructure was compromised, but the malicious package was distributed on January 20, 2026.

Morphisec flagged the malicious update and contacted MicroWorld Technologies, who said that they had already detected the incident via internal monitoring and reacted quickly: they “isolated [the] affected infrastructure within 1 hour, and took global update system offline for 8+ hours.”

MicroWorld told Bleeping Computer that the compromised update server delivered the malicious eScan update for approximately two hours, and that it has since been rebuilt. The company also rotated authentication credentials and developed a patch.

Since the malicious update made the remote updating of the eScan impossible, some of the affected organizations and individuals had to contact MicroWorld directly to obtain the patch and to implement it manually, Morphisec researchers said.

Advice for affected organizations

The trojanized eScan component (Reload.exe) triggered the running of a downloader that connected to attacker-operated C2 infrastructure for additional payloads, tampered with the hosts file and eScan registry to block remote updates for the antivirus, and implemented persistence mechanisms.

Another persistent downloader (ConsCtl.exe) was also dropped by the trojanized update, and it may have downloaded additional malicious payloads on the hosts.

Morphisec’s advice for those users is to assume compromise, isolate the system(s), and investigate whether they’ve been saddled with the trojanized update.

The company advises security defenders to look for malicious files, unexpected scheduled tasks, suspicious GUID-named keys in the registry, and entries blocking eScan domains in the hosts file.

“Block C2 domains at network perimeter and review eScan update logs for activity on January 20, 2026,” they urged, and shared indicators of compromise that they should look for.

“Conduct forensic analysis to determine if [the persistent] downloader was deployed. Reset credentials for any accounts accessed from affected systems. Contact eScan directly to obtain the manual update/patch,” they also counseled.

Morphisec says that all of their customers running eScan were hit by this attack. MicroWorld claims only a small subset of its customers received the malicious update.

Incidentally, this is not the first time that eScan users were targeted with malware: in 2024, attackers exploited a vulnerability in the antivirus program to sideload the GuptiMiner backdoor and the XMRig crypto miner onto organizations’ computers.

Help Net Security has reached out to both companies for more information and we’ll update this article when we hear back from them.

UPDATE (January 29, 2026, 06:45 p.m. ET):

“Morphisec detected and blocked the attack on 5 customers. One of these customers had a bring-your-own-device environment with consumer versions of eScan, while the others had enterprise managed versions. Most customers had many endpoints infected,” Morphisec CTO Michael Gorelik told Help Net Security.

“We searched our database for customers running current eScan versions that were not impacted and did not find any. This does NOT mean that every eScan customer globally was infected – our customer base represents a smaller subset of their total user base – but within our visibility, the impact was consistent.”

He shared that the malicious downloader did not reach the download stage on their protected endpoints.

“When we tested the C2 domains the following day, we were unable to validate active C2 communication. However, based on our reverse engineering of the code, the downloader is designed to connect to C2 servers, download an encrypted payload, decrypt it, and execute it directly via PowerShell’s Invoke-Expression. This means the C2 operators can send any commands or scripts for execution on the victim machine – this is remote command execution capability, regardless of whether listening sockets are present,” he added.

“We identified that one of the C2 domains points to hxxps[://]codegiant[.]io/dd/dd/dd[.]git/download/main/middleware[.]ts. Notably, Codegiant allows users to set up pipelines to automate workflows, including deploying Node.js servers. The platform supports CI/CD pipelines for Node.js apps, enabling automatic builds, tests, and deployments to cloud providers (e.g., Cloudflare, AWS) on code changes. This means C2 operators could push updates to the repository (e.g., modifying middleware.ts) and trigger auto-deployment – a dynamic C2 infrastructure that can evolve without changing the download URL.”

Finally, he told us that the persistent downloader checked whether it was running in a virtual machine and for the presence of a variety of popular security and analysis tools, and terminated execution if any were found.

Kaspersky researchers have discovered and shared additional network IoCs related to this attack.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!