Security News eScan confirms update server breached to push malicious update

andytan

andytan

Level 1
Thread author
May 10, 2024
45
171
34
Content source
https://www.bleepingcomputer.com/news/security/escan-confirms-update-server-breached-to-push-malicious-update/
eScan confirms update server breached to push malicious update

MicroWorld Technologies, the maker of the eScan antivirus product, has confirmed that one of its update servers was breached and used to distribute an unauthorized update later analyzed as malicious to a small subset of customers earlier this month.


The file was delivered to customers who downloaded updates from the regional update cluster during a two-hour window on January 20, 2026.


eScan says the affected infrastructure has since been isolated and rebuilt, authentication credentials have been rotated, and remediation has been made available to impacted customers.


Security firm Morphisec separately published a technical report analyzing malicious activity observed on customer endpoints, which it associates with updates delivered from eScan's update infrastructure during the same timeframe.


Morphisec states that it detected malicious activity on January 20, 2026, and later contacted eScan. MicroWorld Technologies told BleepingComputer it disputes Morphisec's claims that it was the first to discover or report the incident.


According to eScan, the company detected the issue internally on January 20 through monitoring and customer reports, isolated the affected infrastructure within hours, and issued a security advisory on January 21. eScan says Morphisec contacted the company later, after publishing public claims about the incident.


eScan also disputes claims that affected customers were unaware of the issue, stating that it conducted proactive notifications and direct outreach to impacted customers while remediation was being finalized.


Update infrastructure breached​


In its advisory, eScan classified the incident as an update infrastructure access incident, stating that unauthorized access to a regional update server configuration allowed an unauthorized file to be placed in the update distribution path.


"Unauthorized access to one of our regional update server configurations resulted in an incorrect file (patch configuration binary/corrupt update) being placed in the update distribution path," reads an advisory shared with BleepingComputer by MicroWorld Technologies.


"This file was distributed to customers downloading updates from the affected server cluster during a limited timeframe on January 20, 2026."


The company emphasized that the incident did not involve a vulnerability in the eScan product itself.


eScan stressed that only those whose software was updated from the specific regional cluster were impacted, while all other customers remained unaffected.


However, eScan says that those who installed the malicious update may have seen this behavior on their systems:


  • Update service failure notifications
  • Modified system hosts file preventing connection to eScan update servers
  • eScan update configuration file modifications
  • Inability to receive new security definition updates
  • Update unavailability popup on client machines
BleepingComputer contacted eScan with further questions on when its systems were initially breached and will update the story if we receive a reply back.


Update deployed to push malware​


Morphisec's security bulletin says that the malicious update pushed down a modified version of an eScan update component, "Reload.exe".


"Malicious updates were distributed through eScan's legitimate update infrastructure, resulting in the deployment of multi-stage malware to enterprise and consumer endpoints globally," reads Morphisec's bulletin.


While the modified Reload.exe is signed with what appears to be eScan's code-signing certificate, both Windows and VirusTotal show the signature as invalid.


According to Morphisec, the Reload.exe file [VirusTotal] was used to enable persistence, execute commands, modify the Windows HOSTS file to prevent remote updates, and connect to the C2 infrastructure to download further payloads.


The researchers say the following command and control servers were observed:


hxxps[://]vhs[.]delrosal[.]net/i<br>hxxps[://]tumama[.]hns[.]to<br>hxxps[://]blackice[.]sol-domain[.]org<br>hxxps[://]codegiant[.]io/dd/dd/dd[.]git/download/main/middleware[.]ts<br>504e1a42.host.njalla[.]net<br>185.241.208[.]115<br>

The final payload seen deployed was a file named CONSCTLX.exe [VirusTotal], which Morphisec acts as a backdoor and a persistent downloader. Morphisec says that the malicious files created scheduled tasks for persistence using names like "CorelDefrag".


eScan has created a remediation update that customers can run to perform the following actions:


  • Automatically identifies and corrects incorrect modifications
  • Re-enables proper eScan update functionality
  • Verifies successful restoration
  • Requires standard system restart
Both eScan and Morphisec recommend that customers block the above command and control servers for additional security.


In 2024, North Korean hackers were observed exploiting the updating mechanism of eScan antivirus to plant backdoors on corporate networks.
Click to expand...
 
  • Wow
  • Like
  • Thanks
Reactions: Behold Eck, Shadowra, Jonny Quest and 16 others
andytan said:
eScan confirms update server breached to push malicious update
Click to expand...
This is a classic “trusted update channel” (supply-chain) incident: a compromised update server can turn even security software into an initial access vector, so the safest response is to treat potentially affected endpoints as suspect until verified clean.

What’s confirmed in reports (key points)
  • eScan/MicroWorld confirmed unauthorized content was placed in the update distribution path on a regional cluster, with distribution reported during a limited window on January 20, 2026.
  • Morphisec reports the update chain involved a trojanized eScan component (Reload.exe) and follow-on payloads, plus tampering intended to block further eScan updates (hosts file / config / registry), which can break “self-healing” via normal updating.

If you run eScan: practical, low-risk response steps
  • Assume you may be affected if your eScan clients updated on January 20, 2026 (especially if you’re in the impacted regional update cluster). Preserve logs if possible (update logs, Windows Event Logs, EDR telemetry).
  • Isolate any suspected endpoints from the network (at least from sensitive segments) until you’ve confirmed integrity. This reduces risk if a backdoor/downloader stage is present.
  • Use vendor-provided remediation (eScan’s remediation/patch process) rather than relying on normal definition updates, because the reported behavior includes update-blocking tampering.
  • Hunt for the specific persistence and tampering behaviors reported:
    • Unexpected Scheduled Tasks under Windows\Defrag\ (Morphisec mentions examples like “Windows\Defrag\CorelDefrag”).
    • HOSTS file modifications blocking access to eScan update infrastructure.
    • Suspicious GUID-named keys under HKLM\Software\ containing unusual/encoded data.
  • Add temporary network blocks for the published defanged C2 indicators at the DNS/proxy/firewall layer (as a precaution), and monitor for any connection attempts to them (that’s often as valuable as blocking).
  • Run independent second-opinion scanning (not just the potentially impacted product) and, for business environments, treat this as an incident-response event (credential review for accounts used on affected machines, plus forensic triage).

Why this needs extra care
  • When malware tampers with the updater (hosts/config/registry), “just update to get fixed” may fail on the very machines that need it most.
  • Even if the malicious stage is removed, you still need to confirm the endpoint wasn’t used to establish additional persistence or steal credentials during the window of exposure.

Bottom line
If there’s any chance your eScan endpoints pulled updates on January 20, 2026, treat this as a potential compromise: isolate, apply the vendor’s remediation path, verify persistence/tampering indicators, and validate cleanliness with independent scanning before returning systems to normal operation.

Sources
 
MITRE ATT&CK Mapping

T1195.002
Supply Chain Compromise (Software Tools)

T1053.005
Scheduled Task/Job (CorelDefrag persistence)

T1562.006
Impair Defenses (Modify Windows HOSTS file to block updates)

CVE Profile
N/A (Infrastructure Breach).

CISA KEV Status
Active Monitoring (Supply chain incidents of this nature typically bypass standard CVE categorization).

Live Evidence Extraction

Malicious File
Reload.exe
(SHA256: 8f2fe9dc184ba209f78d1b81f87f7d39f0d260b8d6dc1f7af9f256071d8c9fe0).

Secondary Payload
CONSCTLX.exe
(SHA256: bec369597633eac7cc27a698288e4ae8d12bdd9b01946e73a28e1423b17252b1).

Persistence Indicator
Scheduled Task named "CorelDefrag".

Network Indicators (C2)

vhs[.]delrosal[.]net

tumama[.]hns[.]to

blackice[.]sol-domain[.]org

185.241.208[.]115.


Remediation - THE ENTERPRISE TRACK (SANS PICERL)

Phase 1: Identification & Containment
Identify endpoints that pulled updates between 18:00 and 20:00 UTC on Jan 20, 2026.

Isolate these hosts immediately to prevent lateral movement of the CONSCTLX.exe backdoor.

Check for invalid digital signatures on Reload.exe in the application path.

Phase 2: Eradication
Deploy eScan's remediation update to revert HOSTS file modifications and remove the CorelDefrag scheduled task.

Block documented C2 IPs/domains at the perimeter firewall.

Phase 3: Recovery
Rebuild systems where CONSCTLX.exe activity (C2 callbacks) was verified.

Rotate administrative credentials if an infected device was used for privileged access.

Phase 4: Lessons Learned
Audit third-party software update mechanisms. Implement EDR rules to flag invalid digital signatures for known-good binaries.

Remediation - THE HOME USER TRACK

Priority 1 Safety
Disconnect the computer from the internet. Use a secondary clean device to download the official eScan remediation tool.

Priority 2: Identity
After cleaning the device, reset passwords for your email and banking accounts. Ensure Multi-Factor Authentication (MFA) is enabled.

Priority 3: Persistence
Check "Scheduled Tasks" for any unusual entries like "CorelDefrag" and delete them if present.

Sources & Hardening

BleepingComputer (Original Report)

Morphisec (Security Bulletin)

Baseline
Follow CIS Benchmarks for OS hardening, specifically disabling unauthorized scheduled tasks and restricting HOSTS file write access.

Framework
NIST SP 800-61r2 for comprehensive incident handling lifecycle management.

Tactical
Utilize the SANS "Find Evil" cheat sheet for hunting persistence in the Windows Registry and Task Scheduler.
 
  • Like
  • +Reputation
Reactions: Shadowra, Sorrento, harlan4096 and 2 others
andytan said:
eScan confirms update server breached to push malicious update
Click to expand...
1769656887900.png

All these good results in vain
 
  • Like
Reactions: Brownie2019, Sorrento, Harputlu and 4 others
Harputlu said:
Don't trust Indian antivirus programs. In fact, trust Bitdefender, Kaspersky, Eset, Norton . They won't let you down.
Click to expand...
Do you know anything about SolarWinds supply chain attack?

Also Many of the antivirus solutions were coded into the malware kill list including MD, Avast, AVG Eset and F-Secure.
 
  • Like
Reactions: Virtuoso, Halp2001, Sorrento and 3 others
Tachikoma said:
Can you tell us why is k7 better ? Thank you !

~Tachikoma
Click to expand...
1.Blazing Performance: K7 is widely recognized for its low system impact.
2.Proprietary Technology: Unlike some local brands that license engines from foreign firms, K7 uses its own proprietary scan engine and MAT (Multi-layered Artificial intelligence Technology). This allows the company to push updates and adapt to local threats without waiting for third-party partners.
3.Unmatched Affordability
 
  • Like
Reactions: Behold Eck, Virtuoso, Halp2001 and 4 others
Captain Awesome said:
1.Blazing Performance: K7 is widely recognized for its low system impact.
2.Proprietary Technology: Unlike some local brands that license engines from foreign firms, K7 uses its own proprietary scan engine and MAT (Multi-layered Artificial intelligence Technology). This allows the company to push updates and adapt to local threats without waiting for third-party partners.
3.Unmatched Affordability
Click to expand...
Nano AV uses its own proprietary engine and it is bad.

I am not sure if @Shadowra tested K7?
 
  • Like
Reactions: Halp2001, Sorrento, Harputlu and 1 other person

You may also like...