An update server operated by MicroWorld Technologies was breached and used to deliver an unauthorized update to a subset of eScan customers on January 20 2026 with the malicious file distributed during a two hour window.
KEY FACTS
- Incident update server breach distributing an unauthorized update
- Date January 20 2026 two hour window
- Impact subset of customers updating from a regional cluster
- Malware multi stage payload including CONSCTLX.exe backdoor
The file was delivered to customers who downloaded updates from the regional update cluster during a two hour window on January 20 2026. Affected infrastructure has been isolated and rebuilt, authentication credentials rotated, and a remediation update made available to impacted customers.
In a security bulletin from Morphisec, the company said the malicious update included a modified version of an update component named Reload.exe that carried an apparently invalid code signature, enabled persistence, modified the Windows HOSTS file to prevent remote updates, and connected to command and control servers to download further payloads including a file named CONSCTLX.exe described as a backdoor.
Observed command and control addresses include vhs.delrosal.net, tumama.hns.to, blackice.sol-domain.org and 185.241.208.115. The final payload created scheduled tasks for persistence using names like CorelDefrag.
The remediation update automatically identifies and corrects incorrect modifications, re-enables proper update functionality, verifies successful restoration and requires a standard restart. Blocking the listed command and control servers is recommended for additional security.
WHY IT MATTERS
Malicious updates distributed through legitimate update infrastructure can install persistent backdoors and prevent further updates. Administrators should confirm whether systems updated from the affected regional cluster and apply the remediation as needed.