Threat Bulletin: Critical eScan Supply Chain Compromise
Summary:
A critical supply chain attack was identified by security firm Morphisec affecting MicroWorld Technologies’ eScan antivirus product. On January 20, 2026, a malicious update package was observed being distributed through eScan’s legitimate update infrastructure, resulting in the deployment of multi-stage malware to enterprise and consumer endpoints globally.
It remains unclear as to how the actor gained access to eScan’s update server. This access was used to distribute a trojanized eScan Component (Reload[.]exe), leading to the deployment of a stage 3 downloader (CONSCTLX[.]exe). The downloader has several key functions:
Although eScan isolated affected infrastructure within hours and took its update system offline, impacted customers were required to manually contact eScan to receive remediation, as compromised systems could not self-recover through standard update mechanisms.
Security Officer Comments:
The latest eScan supply chain compromise is reminiscent of the SolarWinds Orion attack. In both cases, the actors abused a trusted vendor’s update mechanism to distribute malicious payloads at scale. Similar to how the SolarWinds Sunburst backdoor was embedded in a digitally signed Orion update, in the latest attack involving eScan, the actors delivered malware as a legitimate update, which in this case was signed with a valid eScan (Microworld Technologies Inc.) certificate. By abusing trusted update channels and legitimate code-signing certificates, the attackers were able to evade traditional security controls that rely on signature validation and vendor trust.
Suggested Corrections:
Automatic updates will not work on compromised systems. The malicious payload tampers with eScan registery, files, and update configuration to prevent updates and proper function of the AV. Manual intervention is required.
EScan provides a patch that should fix the updater and revert eScan configurations and host file.
Immediate Actions:
https://www.morphisec.com/blog/critical-escan-threat-bulletin/
A critical supply chain attack was identified by security firm Morphisec affecting MicroWorld Technologies’ eScan antivirus product. On January 20, 2026, a malicious update package was observed being distributed through eScan’s legitimate update infrastructure, resulting in the deployment of multi-stage malware to enterprise and consumer endpoints globally.
It remains unclear as to how the actor gained access to eScan’s update server. This access was used to distribute a trojanized eScan Component (Reload[.]exe), leading to the deployment of a stage 3 downloader (CONSCTLX[.]exe). The downloader has several key functions:
- Creates scheduled tasks and executes PowerShell for persistent access
- Modifies the hosts file and eScan registry settings to block future updates and disable antivirus functionality, preventing automatic remediation
- Connects to command and control infrastructure to retrieve additional payloads
Although eScan isolated affected infrastructure within hours and took its update system offline, impacted customers were required to manually contact eScan to receive remediation, as compromised systems could not self-recover through standard update mechanisms.
Security Officer Comments:
The latest eScan supply chain compromise is reminiscent of the SolarWinds Orion attack. In both cases, the actors abused a trusted vendor’s update mechanism to distribute malicious payloads at scale. Similar to how the SolarWinds Sunburst backdoor was embedded in a digitally signed Orion update, in the latest attack involving eScan, the actors delivered malware as a legitimate update, which in this case was signed with a valid eScan (Microworld Technologies Inc.) certificate. By abusing trusted update channels and legitimate code-signing certificates, the attackers were able to evade traditional security controls that rely on signature validation and vendor trust.
Suggested Corrections:
Automatic updates will not work on compromised systems. The malicious payload tampers with eScan registery, files, and update configuration to prevent updates and proper function of the AV. Manual intervention is required.
EScan provides a patch that should fix the updater and revert eScan configurations and host file.
Immediate Actions:
- Search for malicious hashes provided in Morphisec’s blog post across all endpoints
- Review scheduled tasks under Windows\Defrag\ for unexpected entries
- Inspect registry for suspicious GUID-named keys under HKLM\Software\ containing byte array data
- Check hosts file for entries blocking eScan domains
- Block C2 domains at network perimeter
- Review eScan update logs for activity on January 20, 2026
- Download eScan update to patch and fix your eScan installation.
https://www.morphisec.com/blog/critical-escan-threat-bulletin/