Search

eScan Confirms Update Server Breached to Push Malicious Update

Cyber threats and incidents
By John Kevin Hao

Related

Cyber threats and incidents

TrickMo Android Banker Adopts TON Blockchain for Covert Command-and-Control

What happened ThreatFabric has identified a new variant of the...
Read more
Cyber threats and incidents

JDownloader Website Hacked to Replace Installers With Python RAT Malware

What happened The official JDownloader website was compromised between May...
Read more
Cyber threats and incidents

Attackers Abuse Google Ads and Claude.ai Shared Chats to Push Mac Malware

What happened An active malvertising campaign is abusing Google sponsored...
Read more
Cyber threats and incidents

New TCLBanker Malware Self-Spreads Over WhatsApp and Outlook

What happened Elastic Security Labs has documented a new Brazilian...
Read more
Cyber threats and incidents

Australia Warns of ClickFix Attacks Pushing Vidar Stealer Malware

What happened The Australian Signals Directorate’s Australian Cyber Security Centre...
Read more

Share

What happened

eScan Confirms Update Server Breached to Push Malicious Update reports that MicroWorld Technologies, the maker of the eScan antivirus product, confirmed one of its update servers was breached and used to distribute an unauthorized malicious update to a subset of customers. According to a security bulletin, the malicious update included a modified version of the eScan update component Reload.exe, which was digitally signed with what appeared to be an eScan code-signing certificate but showed as invalid in Windows and VirusTotal. The modified file was used to enable persistence, execute commands, modify the Windows hosts file to prevent remote updates, connect to command-and-control servers, and download additional payloads, including a backdoor named CONSCTLX.exe. eScan later released a remediation update for affected customers. 

Who is affected

Customers using eScan antivirus products whose update infrastructure reached the compromised update server on or around January 20, 2026 may have received the malicious update. The exposure involved those endpoints that accepted the unauthorized update from the breached server, potentially leading to malware deployment on affected systems. 

Why CISOs should care

This incident represents a compromise of a security software vendor’s update mechanism, illustrating how supply chain breaches in update infrastructure can deliver malicious components to enterprise and consumer endpoints. The unauthorized update contained malware designed to persist, block legitimate updates, and connect to external command-and-control servers, underscoring the importance of validating the integrity of software updates and trust chains. 

3 practical actions

Verify update authenticity. Confirm digital signatures and validity of antivirus update components before deployment to ensure they are legitimately issued by the vendor. 

Isolate affected endpoints. Identify systems that received the unauthorized update and isolate them to prevent further command-and-control communication. 

Deploy remediation update. Apply the remediation update provided by eScan to remove malicious components and restore legitimate update functionality. 

IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

Previous article
FBI Seizes RAMP Cybercrime Forum Used by Ransomware Gangs
Next article
Cyberattack on the Polish Energy Grid Impacted Around 30 Facilities

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.