Search

eScan Confirms Update Server Breached to Push Malicious Update

Cyber threats and incidents
By Evan Rowe

Related

Founders, Analysts & Industry Voices

CISOs and Security Leaders to Watch in Australian Telecom

Australia’s telecommunications sector sits at the crossroads of national...
Read more
Cyber threats and incidents

Threat Actors Leverage Enterprise Email Threads to Deliver Phishing Links

What happened Threat actors are leveraging real enterprise email threads...
Read more
Cyber threats and incidents

Fraud Campaigns Targeting Canadian Citizens Using Lookalike Government and Service Portals

What happened Fraud campaigns are targeting Canadian citizens by exploiting...
Read more
Cyber threats and incidents

Swarmer Tool Evading EDR With Stealthy Windows Registry Persistence

What happened The Swarmer tool evading EDR with a stealthy...
Read more
Cyber threats and incidents

Check Point Harmony SASE Windows Client Vulnerability Enables Privilege Escalation

What happened A privilege-escalation vulnerability in the Check Point Harmony...
Read more

Share

What happened

eScan Confirms Update Server Breached to Push Malicious Update reports that MicroWorld Technologies, the maker of the eScan antivirus product, confirmed one of its update servers was breached and used to distribute an unauthorized malicious update to a subset of customers. According to a security bulletin, the malicious update included a modified version of the eScan update component Reload.exe, which was digitally signed with what appeared to be an eScan code-signing certificate but showed as invalid in Windows and VirusTotal. The modified file was used to enable persistence, execute commands, modify the Windows hosts file to prevent remote updates, connect to command-and-control servers, and download additional payloads, including a backdoor named CONSCTLX.exe. eScan later released a remediation update for affected customers. 

Who is affected

Customers using eScan antivirus products whose update infrastructure reached the compromised update server on or around January 20, 2026 may have received the malicious update. The exposure involved those endpoints that accepted the unauthorized update from the breached server, potentially leading to malware deployment on affected systems. 

Why CISOs should care

This incident represents a compromise of a security software vendor’s update mechanism, illustrating how supply chain breaches in update infrastructure can deliver malicious components to enterprise and consumer endpoints. The unauthorized update contained malware designed to persist, block legitimate updates, and connect to external command-and-control servers, underscoring the importance of validating the integrity of software updates and trust chains. 

3 practical actions

Verify update authenticity. Confirm digital signatures and validity of antivirus update components before deployment to ensure they are legitimately issued by the vendor. 

Isolate affected endpoints. Identify systems that received the unauthorized update and isolate them to prevent further command-and-control communication. 

Deploy remediation update. Apply the remediation update provided by eScan to remove malicious components and restore legitimate update functionality. 

Previous article
FBI Seizes RAMP Cybercrime Forum Used by Ransomware Gangs
Next article
Cyberattack on the Polish Energy Grid Impacted Around 30 Facilities
Founders, Analysts & Industry Voices

CISOs and Security Leaders to Watch in Australian Telecom

Australia’s telecommunications sector sits at the crossroads of national...
Cyber threats and incidents

Threat Actors Leverage Enterprise Email Threads to Deliver Phishing Links

What happened Threat actors are leveraging real enterprise email threads...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.