eScan Server Breach Delivers Malicious Software Update
▼ Summary
– eScan’s update server was breached, allowing a malicious file to be distributed to a small subset of customers during a two-hour window on January 20, 2026.
– The company states it detected the issue internally, isolated the infrastructure, and provided remediation, disputing claims that it was unaware or that customers were not notified.
– Security firm Morphisec analyzed the incident, reporting the malicious update deployed multi-stage malware that acted as a backdoor and modified system files.
– eScan emphasizes the breach was an infrastructure access issue, not a product vulnerability, and only affected customers using a specific regional update cluster.
– Both eScan and Morphisec recommend blocking identified command and control servers, and eScan has released a remediation tool to restore proper functionality.
A recent security incident involving eScan antivirus software highlights the critical risks when trusted update channels are compromised. MicroWorld Technologies, the developer of eScan, has confirmed that one of its regional update servers was breached, leading to a malicious software update being distributed to a limited number of customers. This unauthorized file was delivered during a specific two-hour window on January 20, 2026, to users who downloaded updates from that particular server cluster.
The company has stated that the affected infrastructure was quickly isolated and completely rebuilt following the discovery. All authentication credentials were rotated, and a remediation process was made available to impacted users. eScan emphasizes that the core product itself contained no vulnerability; the issue stemmed solely from unauthorized access to a server configuration, which allowed a corrupt file to be placed into the update distribution path.
Security researchers at Morphisec published a separate analysis, detailing malicious activity they observed on customer systems. They linked this activity to updates delivered from eScan’s infrastructure during the same timeframe. Morphisec reports detecting the activity on January 20 and subsequently contacting the antivirus firm. However, eScan disputes the timeline of this external report, asserting that its internal monitoring and customer reports led to the incident’s discovery and that proactive isolation and notification efforts began before Morphisec’s public claims.
According to eScan, only customers updating from the specific compromised regional server were affected. Those who installed the malicious update may have experienced several issues, including update service failures, modifications to the system’s hosts file that blocked connections to eScan servers, and an inability to receive new security definition updates. The company maintains it conducted direct outreach to notify impacted customers.
The malicious update delivered a tampered version of a legitimate eScan component called “Reload.exe.” Although the file bore a signature that appeared to be from eScan, security tools flagged it as invalid. This file was designed to establish persistence on infected machines, execute commands, and modify system settings to hinder further updates. It also connected to a set of command-and-control servers to download additional payloads.
The final payload observed was a file named CONSCTLX.exe, which functions as a backdoor and persistent downloader. The malware created scheduled tasks for persistence, often using deceptive names like “CorelDefrag.” In response, eScan has released a dedicated remediation update that automatically identifies and corrects the malicious modifications, re-enables proper update functionality, and verifies the restoration after a standard system restart.
Both eScan and Morphisec advise customers to proactively block the identified command-and-control server addresses to enhance their security posture. This incident follows a pattern of software supply chain attacks, notably including a 2024 campaign where North Korean hackers exploited eScan’s update mechanism to implant backdoors on corporate networks.
(Source: Bleeping Computer)
