Your Antivirus Just Pushed Malware—eScan's Update Server Was Hacked

The Attack Window

On January 20, 2026, attackers breached one of eScan's regional update servers and injected malicious code into the update distribution path. For approximately two hours, customers who downloaded updates from that specific server cluster received malware instead of legitimate security patches.

MicroWorld Technologies, the company behind eScan, detected the breach through internal monitoring and customer reports. They issued a security advisory the following day and published a detailed analysis on January 28.

How the Attack Worked

The attackers distributed a modified version of "Reload.exe," a legitimate component of eScan's update system. The malicious file appeared to use eScan's code signing certificate, but the signature didn't validate—a red flag that went unnoticed during the brief attack window.

According to security firm Morphisec, which independently analyzed the attack, the compromised update component enabled attackers to:

• Establish persistence on infected systems
• Execute arbitrary commands remotely
• Modify Windows HOSTS files to block future eScan updates
• Connect to command and control infrastructure

The Malware Payload

The final stage of the attack delivered a backdoor called CONSCTLX.exe. This malware created scheduled tasks with innocuous names like "CorelDefrag" to maintain access even after system reboots.

Particularly concerning: the malware modified the Windows HOSTS file to block connections to eScan's update servers. This meant infected systems couldn't receive the remediation updates that would clean the infection—a self preservation mechanism that required manual intervention to overcome.

Indicators You Were Affected

eScan customers may have been impacted if they experienced any of the following after January 20:

• Update service failures or errors
• Pop up notifications about unavailable updates
• Modified hosts files blocking eScan domains
• Unexplained changes to eScan configuration files
• New scheduled tasks with unfamiliar names

Only customers who downloaded updates from the specific affected regional cluster during the two hour window were at risk. eScan emphasized that customers updating from other servers remained unaffected.

The Command and Control Infrastructure

Security researchers identified several command and control servers used in the attack, including domains like vhs.delrosal.net and tumama.hns.to. The .hns.to domain is notable—it uses Handshake, a decentralized naming system that makes takedowns more difficult than traditional domains.

Network administrators should check firewall logs for connections to the IP address 185.241.208.115 and related infrastructure as potential indicators of compromise.

This Isn't eScan's First Incident

eScan's update mechanism was previously exploited in 2024 by threat actors linked to North Korea. That attack used a man in the middle vulnerability that had existed for at least five years before being patched in July 2023. The attackers distributed GuptiMiner malware through compromised updates, targeting large corporate networks.

The 2026 incident appears to be a direct server compromise rather than a protocol vulnerability, but the pattern of attackers targeting antivirus update mechanisms continues. Security tools represent high value targets precisely because users trust them.

eScan's Response

eScan stated that it has isolated the compromised infrastructure, rotated all authentication credentials, and released remediation updates. The company claims these updates automatically correct the modifications made by the malware and restore normal update functionality.

However, because the malware blocks update server connections, some customers may need to manually remove the HOSTS file modifications before the automatic fix can reach them.

The Broader Supply Chain Risk

Supply chain attacks targeting security software are particularly dangerous because they weaponize the trust users place in their protection tools. When your antivirus becomes the malware delivery mechanism, traditional security assumptions break down.

This attack joins a growing list of security software compromises, including the SolarWinds attack, CCleaner backdoor, and Kaspersky supply chain incidents. Each demonstrates that the software designed to protect systems can become the attack vector.

For organizations, this underscores the importance of update verification, network segmentation, and maintaining visibility into software behavior—even for trusted security tools.

What to Do Now

If you use eScan antivirus:

• Check your Windows HOSTS file for unauthorized entries blocking eScan domains
• Look for scheduled tasks with unfamiliar names, particularly "CorelDefrag"
• Review network logs for connections to the identified command and control infrastructure
• Ensure you can receive updates—if blocked, manually restore the HOSTS file
• Run a full system scan with an alternative antivirus tool as a second opinion

For everyone else, this incident is a reminder that no security software is immune to compromise. Layered defenses, behavioral monitoring, and healthy skepticism—even toward your protection tools—remain essential.