Cybersecurity

Cyber: Escan Antivirus Update Servers Compromised To Deliver Multi-stage...

2026-02-02 0 views admin
Cyber: Escan Antivirus Update Servers Compromised To Deliver Multi-stage...

The update infrastructure for eScan antivirus, a security solution developed by Indian cybersecurity company MicroWorld Technologies, has been compromised by unknown attackers to deliver a persistent downloader to enterprise and consumer systems.

"Malicious updates were distributed through eScan's legitimate update infrastructure, resulting in the deployment of multi-stage malware to enterprise and consumer endpoints globally," Morphisec researcher Michael Gorelik said.

MicroWorld Technologies has revealed that it detected unauthorized access to its infrastructure and immediately isolated the impacted update servers, which remained offline for over eight hours. It has also released a patch that reverts the changes introduced as part of the malicious update. Impacted organizations are recommended to contact MicroWorld Technologies to obtain the fix.

It also pinned the attack as resulting from unauthorized access to one of its regional update server configurations, which enabled the threat actors to distribute a "corrupt" update to customers during a "limited timeframe" of about two hours on January 20, 2026.

"eScan experienced a temporary update service disruption starting January 20, 2026, affecting a subset of customers whose systems automatically download updates during a specific timeframe, from a specific update cluster," the company said in an advisory issued on January 22, 2026.

"The issue resulted from unauthorized access to the regional update server infrastructure. The incident has been identified and resolved. Comprehensive remediation is available that addresses all observed scenarios."

Morphisec, which identified the incident on January 20, 2026, said the malicious payload interferes with the regular functionality of the product, effectively preventing automatic remediation. This specifically involves delivering a malicious "Reload.exe" file that's designed to drop a downloader, which contains functionality to establish persistence, block remote updates, and contact an external server to fetch additional payloads, including "CONSCTLX.exe."

According to details shared by Kaspersky, "Reload.exe" – a legitimate file located in "C:\Program Files (x86)\escan\reload.exe" – is replaced with a rogue counterpart that can prevent further antivirus product updates by modifying the HOSTS file. It's signed with a fake, invalid digital signature.

"When started, this reload.exe file checks whether it is launched from the Program Files folder, and exit

Source: The Hacker News

🏷️ Tags

cybersecuritysecuritymalwareattackthreat

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views