Unknown attackers used eScan’s update infrastructure to deliver a persistent downloader to enterprise and consumer endpoints on January 20, 2026, during a roughly two hour window that prompted the vendor to take update servers offline for over eight hours.
KEY FACTS
- Incident Unauthorized access to a regional update server configuration allowed distribution of a corrupt update
- When January 20, 2026, for about two hours
- Impact Multi stage downloader deployed to enterprise and consumer systems
- Mitigation A patch was released and impacted update servers were isolated
In a technical analysis, Morphisec said the malicious update replaced the legitimate C:\Program Files (x86)\escan\reload.exe with a rogue binary that drops a downloader designed to establish persistence, block updates and fetch additional payloads including CONSCTLX.exe.
MicroWorld Technologies advisory states the company detected unauthorized access to its regional update server configuration, isolated the impacted update servers for more than eight hours and released a patch that reverts the malicious changes.
A Kaspersky analysis shows hundreds of machines encountered infection attempts, mainly in India, Bangladesh, Sri Lanka and the Philippines.
The replaced reload.exe uses an AMSI bypass and an UnmanagedPowerShell based loader to run three Base64 encoded PowerShell payloads that tamper with the product, check installed software against a blocklist and download CONSCTLX.exe plus a secondary PowerShell payload that is scheduled for execution. One component also updates Eupdate.ini to make the product appear current.
WHY IT MATTERS
The incident is a rare supply chain compromise of an antivirus update mechanism and shows how malicious updates can disable remediation and persist on endpoints. Affected organizations should apply the vendor patch and contact the vendor to obtain the fix.