Cybersecurity researchers have reported a serious incident involving eScan antivirus software, where attackers compromised one of its update servers. Instead of sending a normal security update, the server delivered malicious files to users. This type of attack is known as a supply-chain attack and is considered highly dangerous. The issue came to light after abnormal activity was detected on updated systems.

eScan antivirus logo associated with a reported supply-chain security incident in 2026.

The attack is believed to have occurred around January 20, 2026. During this time, a legitimate eScan update component was secretly replaced with a malicious version. The infected file looked normal and carried a valid signature, which allowed it to bypass user suspicion. As a result, the malware was installed automatically during routine updates.

The compromised update contained a modified 32-bit executable commonly identified as Reload.exe. Once executed, this file acted as the first stage of the attack. It silently installed another malicious program in the background. This marked the beginning of a multi-stage infection process on the affected systems.

Malware infection spreading through a compromised eScan antivirus software update on a user’s system.

In the second stage, the malware dropped a 64-bit persistent downloader known as CONSCTLX.exe. This component was designed to remain active even after system restarts. It created scheduled tasks and used PowerShell commands to maintain long-term access. These actions allowed the malware to survive basic system cleanups.

Researchers also discovered that the malware deliberately interfered with security defenses. It modified system registry entries and the hosts file to block legitimate antivirus updates. This prevented infected machines from receiving clean fixes automatically. As a result, users could remain infected without realizing it.

Attacker controlling a multi-stage malware campaign delivered through a trusted antivirus update.

After establishing persistence, the malware connected to remote command-and-control servers controlled by the attackers. These connections allowed additional malicious payloads to be downloaded at any time. This gave attackers ongoing access to compromised systems. Such access could later be used for espionage, data theft, or further attacks.

Once informed, MicroWorld Technologies, the developer of eScan antivirus, took immediate action. The affected update server was isolated to prevent further spread of the malware. The company also began remediation efforts to clean the compromised infrastructure. According to reports, the incident was limited to a regional server.

Compromised eScan update process showing malicious code bypassing antivirus security mechanisms.

This incident highlights the growing threat of supply-chain attacks in cybersecurity. It shows how trusted software updates can be misused to distribute malware. Users and organizations are advised to monitor their systems carefully and apply security guidance promptly. The case serves as a reminder that even security tools can become targets.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news