Meet Foresiet Nexus — Your smarter Threat Intel hub. See it in action — book a free demo today!

Weekly newsletter

No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.

Read about our privacy policy.

Latest from the blog

Why This eScan Antivirus Supply Chain Attack Is a Security Nightmare

Posted on:  04 Feb 2025 | Author: Foresiet

Introduction

In mid-January 2026, one of the most ironic cybersecurity incidents in recent memory occurred: eScan antivirus software from MicroWorld Technologies began delivering malware to its own users. Attackers gained unauthorized access to a regional update server and quietly replaced a legitimate update component with a malicious version. For roughly two hours on January 20, 2026, systems that attempted to fetch updates received a trojanized Reload.exe instead of a security patch.

The result was immediate and devastating: the compromised update disabled the antivirus protection it was supposed to maintain, established persistence on infected machines, and quietly downloaded additional malicious payloads. What should have been a routine security improvement became the infection vector itself.

Executive Summary

On January 20, 2026, attackers compromised an eScan regional update server for approximately two hours. During this window, they replaced the legitimate Reload.exe binary with a malicious version that carried an invalid digital signature. The trojanized file performed several malicious actions:

  • Modified the HOSTS file to block legitimate eScan update domains
  • Created scheduled tasks for persistence
  • Downloaded and executed additional malware components (notably CONSCTLX.exe)
  • Disabled or severely impaired the local eScan antivirus functions

Multiple infections were observed, particularly in South Asia where eScan has a significant user base. eScan responded by temporarily halting all global updates and later released guidance for manual remediation. The incident is a textbook example of supply-chain compromise turning a trusted security product into an active threat.

Who Should Care

This incident matters most to:

  • Enterprises and organizations that still rely on eScan for endpoint protection
  • Managed Service Providers (MSPs) that deploy and manage eScan for clients
  • Organizations in India and other parts of South Asia where eScan maintains a large installed base
  • Security operations teams that monitor endpoint update processes and third-party software integrity
  • Any organization that applies automatic updates from security vendors without additional validation

If your environment includes eScan — even as a secondary or legacy AV — this event deserves immediate attention.

Technical Breakdown: What Actually Happened

The attack began when adversaries obtained access to a regional eScan update server. They replaced the legitimate Reload.exe (normally located at C:\Program Files (x86)\escan\reload.exe) with a malicious 32-bit executable.

This fake Reload.exe executed the following sequence:

  1. Modified the Windows HOSTS file to redirect eScan update-related domains (including mwti.net) to 127.0.0.1, effectively preventing future legitimate updates.
  2. Created a scheduled task named “eScanUpdater” that ran every few minutes under SYSTEM privileges.
  3. Dropped and executed CONSCTLX.exe, which acted as a downloader and secondary payload stage.
  4. Made registry modifications and file changes to simulate a successful update while silently disabling core eScan protection mechanisms.

The downloader (CONSCTLX.exe) contacted external infrastructure to fetch additional components. Basic anti-analysis techniques were observed, though no advanced AMSI bypass or heavy obfuscation was documented in public samples.

Example of the persistence mechanism (scheduled task creation):

schtasks /create /tn “eScanUpdater” /tr “C:\Windows\CONSCTLX.exe” /sc minute /mo 5 /ru SYSTEM /f

This simple but effective technique ensured the malware remained active even after reboots.

Impact and Real-World Risk

The most dangerous consequence was the immediate neutralization of the eScan antivirus itself. With real-time protection disabled, infected endpoints became wide open to subsequent attacks.

In enterprise environments, this creates a dangerous window for:

  • Lateral movement across the network
  • Deployment of ransomware or data exfiltration tools
  • Prolonged attacker dwell time while the primary security layer is offline

Organizations in regions with high eScan adoption faced the highest risk during the compromise window. Even after the malicious update was stopped, systems that had already received the bad update remained compromised until manually remediated.

Indicators of Compromise

Key IOCs identified in public reporting:

Files

  • Malicious Reload.exe SHA256: 8f2fe9dc184ba209f78d1b81f87f7d39f0d260b8d6dc1f7af9f256071d8c9fe0
  • CONSCTLX.exe downloader SHA256: bec369597633eac7cc27a698288e4ae8d12bdd9b01946e73a28e1423b17252b1

Behaviors

  • HOSTS file entries blocking mwti.net and related eScan domains
  • Scheduled task named “eScanUpdater” or similar
  • Unexpected child processes spawned by eScan components
  • Outbound connections from escan.exe or reload.exe to unknown IPs

Registry

  • Tampered keys under HKLM\SOFTWARE\eScan

Detection Guidance for SOC Teams

Monitor for the following signals:

  • AV update processes (reload.exe, escan.exe) spawning unusual child binaries
  • Creation of scheduled tasks by eScan-related processes
  • Modifications to the HOSTS file originating from security software directories
  • eScan binaries making outbound connections to non-eScan infrastructure
  • Registry or file-system changes in eScan program folders that deviate from known good state

These are strong indicators when observed together.

Vendor Response and Trust Implications

eScan acted quickly once notified:

  • Halted all global updates for more than eight hours
  • Issued public guidance on January 22, 2026
  • Advised manual update procedures and system scanning

However, several trust-related questions remain:

  • How did attackers gain access to the update server?
  • Were proper code-signing controls and server access monitoring in place?
  • Was there a formal certificate revocation or infrastructure audit after the breach?

The incident underscores a painful reality: even security vendors can become supply-chain risks when their update infrastructure is compromised.

Mitigation Steps

  1. Immediately stop automatic eScan updates if still running.
  2. Manually download and apply the latest clean update from the official eScan website.
  3. Scan affected systems with a second, independent security product.
  4. Check and restore the HOSTS file to default.
  5. Review scheduled tasks and remove any suspicious entries.
  6. Validate eScan registry keys and program files against known good versions.
  7. Consider replacing eScan with another AV solution if trust has been significantly eroded.

Conclusion

The eScan supply-chain attack is a stark reminder that antivirus software — like any other widely deployed product — can become a high-value target for adversaries. When trust in the update process is abused, the very mechanism meant to protect becomes the infection vector.

This incident highlights the limits of relying on a single vendor for endpoint security. Defense-in-depth, continuous monitoring of update processes, and skepticism toward automatic updates are no longer optional — they are essential.

About us!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization’s defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.

Latest

From the blog

The latest industry news, interviews, technologies, and resources.