eScan AV Users Hit by Malicious Update Attack

A critical security incident involving the eScan antivirus platform has exposed enterprise and consumer users to a sophisticated attack. Unknown threat actors successfully compromised the software’s update infrastructure, weaponizing the official update mechanism to deploy a persistent downloader onto endpoints. This malicious activity not only delivered harmful payloads but also deliberately crippled the antivirus software itself, preventing it from receiving future security updates remotely.

The incident was first identified by cybersecurity researchers at Morphisec, who observed the trojanized update being distributed on January 20, 2026. The malicious package, masquerading as a legitimate eScan component, executed a multi-stage attack. It ran a downloader that connected to attacker-controlled command-and-control (C2) servers, modified the system’s hosts file and eScan registry to block updates, and established mechanisms to ensure it remained on infected machines. A secondary persistent downloader was also deployed, potentially fetching additional malicious tools.

Upon discovery, Morphisec alerted eScan’s developer, MicroWorld Technologies. The company stated its internal monitoring had already detected the breach. MicroWorld claims it isolated the affected infrastructure within one hour and took its global update system offline for over eight hours. According to the company, the compromised server distributed the malicious update for roughly two hours before being taken down, rebuilt, and secured with new authentication credentials. A manual patch was also developed.

The nature of the attack created a significant remediation challenge. Because the malware disabled eScan’s ability to update itself remotely, many affected organizations and individuals were forced to contact MicroWorld directly to obtain and manually install the necessary patch. This underscores the severe operational disruption caused by the compromise of a trusted security tool’s update channel.

Security teams are urged to treat any system running eScan as potentially compromised. Morphisec advises immediate isolation of affected systems and a thorough investigation. Key indicators include the presence of malicious files like `Reload.exe` and `ConsCtl.exe`, unexpected scheduled tasks, suspicious registry keys, and entries in the hosts file that block eScan domains. Forensic analysis is recommended to determine if the persistent downloader was deployed, and all credentials for accounts accessed from impacted machines should be reset.

While Morphisec reported that all its customers using eScan were affected, MicroWorld maintains that only a small subset of its total user base received the malicious update. This discrepancy highlights differences in visibility between a security vendor’s client base and the software developer’s entire ecosystem.

Further analysis revealed the downloader’s advanced capabilities. It was designed to fetch encrypted payloads from C2 servers and execute them directly via PowerShell, granting attackers remote command execution on victim machines. Notably, one C2 domain leveraged the Codegiant platform, suggesting the attackers used a dynamic infrastructure that could be updated automatically through CI/CD pipelines. The malware also included anti-analysis checks, terminating its execution if it detected a virtual machine or common security tools.

This event is a stark reminder of the risks associated with software supply chain attacks. It is not the first time eScan has been exploited; in 2024, a vulnerability was used to sideload cryptocurrency mining malware. The incident reinforces the need for defense-in-depth strategies, as relying solely on a single security product can create a single point of catastrophic failure. Organizations should monitor for shared indicators of compromise and ensure robust network perimeter defenses are in place to block known malicious domains.

(Source: HelpNet Security)