In January 2026, attackers gained unauthorized access to a regional update server within the eScan antivirus update infrastructure, enabling them to distribute malicious updates to both enterprise and consumer endpoints. The compromised update replaced the legitimate reload.exe binary with a rogue version signed with a fake digital signature. This malicious executable, located in the eScan installation directory, executes Base64-encoded PowerShell scripts that perform several malicious actions: disabling eScan’s update mechanism by modifying the HOSTS file, bypassing Windows AMSI to evade detection, and validating the victim environment to avoid infecting systems running security tools or analysis software. Upon passing these checks, the malware downloads and executes additional payloads, including CONSCTLX.exe and a PowerShell-based malware launched via scheduled tasks. The malware maintains persistence by modifying update timestamps to appear legitimate and continuously contacts attacker-controlled servers for further instructions and payloads. The attack was detected and mitigated within hours, with MicroWorld isolating affected servers and releasing patches. Kaspersky telemetry indicates hundreds of infections primarily in India, Bangladesh, Sri Lanka, and the Philippines, but the global distribution of eScan users means the threat could extend to other regions. This supply chain attack is notable for targeting an antivirus product’s update mechanism, a rare and sophisticated vector that undermines trust in security software.

For European organizations using eScan antivirus, this supply chain compromise poses significant risks. The malware’s ability to disable antivirus updates and evade detection can lead to prolonged undetected infections, allowing attackers to deploy additional payloads that may include espionage tools, ransomware, or data exfiltration malware. The persistence mechanisms and update timestamp manipulations can mislead security teams into believing systems are protected and up to date. Enterprises relying on eScan for endpoint protection may face increased exposure to secondary attacks, potentially impacting confidentiality, integrity, and availability of critical systems. Consumer systems are also at risk, which can lead to broader network infections within organizations or supply chains. The attack’s multi-stage nature and use of PowerShell scripts complicate detection and remediation, requiring coordinated incident response. The disruption of update services and the need for emergency patching can also impact operational continuity. Given the sophistication and stealth of the malware, European organizations must act swiftly to verify their eScan installations and apply vendor-provided fixes to mitigate potential damage.

European organizations should immediately verify the integrity of their eScan antivirus installations, focusing on the reload.exe and CONSCTLX.exe binaries in the installation directory. They must apply the official patches released by MicroWorld Technologies to revert malicious changes and restore legitimate update functionality. It is critical to audit the HOSTS file for unauthorized modifications that block update servers and to check scheduled tasks for suspicious PowerShell executions. Organizations should conduct thorough endpoint scans using multiple security tools to detect and remove any remnants of the malware. Network monitoring should be enhanced to detect unusual outbound connections to attacker-controlled servers. Incident response teams should validate that no secondary payloads have been deployed and consider isolating affected systems until remediation is complete. Additionally, organizations should review and tighten access controls around update infrastructure and implement enhanced monitoring for supply chain attack indicators. Engaging with MicroWorld support for comprehensive remediation guidance and threat intelligence updates is recommended. Finally, organizations should educate users about the incident and reinforce best practices for software update verification and endpoint security.