MicroWorld Applied sciences, the maker of the eScan antivirus product, has confirmed that considered one of its replace servers was breached and used to distribute an unauthorized replace later analyzed as malicious to a small subset of shoppers earlier this month.
The file was delivered to prospects who downloaded updates from the regional replace cluster throughout a two-hour window on January 20, 2026.
eScan says the affected infrastructure has since been remoted and rebuilt, authentication credentials have been rotated, and remediation has been made out there to impacted prospects.
Safety agency Morphisec individually revealed a technical report analyzing malicious exercise noticed on buyer endpoints, which it associates with updates delivered from eScan’s replace infrastructure throughout the identical timeframe.
Morphisec states that it detected malicious exercise on January 20, 2026, and later contacted eScan. MicroWorld Applied sciences informed BleepingComputer it disputes Morphisec’s claims that it was the primary to find or report the incident.
In line with eScan, the corporate detected the difficulty internally on January 20 via monitoring and buyer studies, remoted the affected infrastructure inside hours, and issued a safety advisory on January 21. eScan says Morphisec contacted the corporate later, after publishing public claims in regards to the incident.
eScan additionally disputes claims that affected prospects have been unaware of the difficulty, stating that it performed proactive notifications and direct outreach to impacted prospects whereas remediation was being finalized.
Replace infrastructure breached
In its advisory, eScan categorised the incident as an replace infrastructure entry incident, stating that unauthorized entry to a regional replace server configuration allowed an unauthorized file to be positioned within the replace distribution path.
“Unauthorized entry to considered one of our regional replace server configurations resulted in an incorrect file (patch configuration binary/corrupt replace) being positioned within the replace distribution path,” reads an advisory shared with BleepingComputer by MicroWorld Applied sciences.
“This file was distributed to prospects downloading updates from the affected server cluster throughout a restricted timeframe on January 20, 2026.”
The corporate emphasised that the incident didn’t contain a vulnerability within the eScan product itself.
eScan confused that solely these whose software program was up to date from the particular regional cluster have been impacted, whereas all different prospects remained unaffected.
Nevertheless, eScan says that those that put in the malicious replace could have seen this conduct on their programs:
- Replace service failure notifications
- Modified system hosts file stopping connection to eScan replace servers
- eScan replace configuration file modifications
- Lack of ability to obtain new safety definition updates
- Replace unavailability popup on shopper machines
BleepingComputer contacted eScan with additional questions on when its programs have been initially breached and can replace the story if we obtain a reply again.
Replace deployed to push malware
Morphisec’s safety bulletin says that the malicious replace pushed down a modified model of an eScan replace part, “Reload.exe”.
“Malicious updates have been distributed via eScan’s respectable replace infrastructure, ensuing within the deployment of multi-stage malware to enterprise and shopper endpoints globally,” reads Morphisec’s bulletin.
Whereas the modified Reload.exe is signed with what seems to be eScan’s code-signing certificates, each Home windows and VirusTotal present the signature as invalid.
In line with Morphisec, the Reload.exe file [VirusTotal] was used to allow persistence, execute instructions, modify the Home windows HOSTS file to forestall distant updates, and hook up with the C2 infrastructure to obtain additional payloads.
The researchers say the next command and management servers have been noticed:
hxxps[://]vhs[.]delrosal[.]internet/i
hxxps[://]tumama[.]hns[.]to
hxxps[://]blackice[.]sol-domain[.]org
hxxps[://]codegiant[.]io/dd/dd/dd[.]git/obtain/most important/middleware[.]ts
504e1a42.host.njalla[.]internet
185.241.208[.]115
The ultimate payload seen deployed was a file named CONSCTLX.exe [VirusTotal], which Morphisec acts as a backdoor and a persistent downloader. Morphisec says that the malicious information created scheduled duties for persistence utilizing names like “CorelDefrag”.
eScan has created a remediation replace that prospects can run to carry out the next actions:
- Robotically identifies and corrects incorrect modifications
- Re-enables correct eScan replace performance
- Verifies profitable restoration
- Requires commonplace system restart
Each eScan and Morphisec suggest that prospects block the above command and management servers for added safety.
In 2024, North Korean hackers have been noticed exploiting the updating mechanism of eScan antivirus to plant backdoors on company networks.
It is funds season! Over 300 CISOs and safety leaders have shared how they’re planning, spending, and prioritizing for the 12 months forward. This report compiles their insights, permitting readers to benchmark methods, establish rising developments, and evaluate their priorities as they head into 2026.
Find out how high leaders are turning funding into measurable impression.
