Computer code on screen representing the eScan antivirus supply chain compromise

TL;DR: On January 20, 2026, attackers compromised an eScan antivirus update server and pushed malware to users in India, Bangladesh, Sri Lanka, and the Philippines. The legitimate antivirus update channel delivered a fake-signed malicious file instead of a security patch. The malware disabled updates, bypassed Windows security, and established remote access. MicroWorld Technologies (eScan's maker) shut down their global update system for 8+ hours. If you use eScan, you need to manually check your system. Automatic updates can't fix this one.

What Happened

Attackers gained access to an eScan regional update server and swapped out a legitimate file (reload.exe) with a malicious version.[1]

The file carried a fake digital signature. When eScan users ran their normal automatic updates, they downloaded malware instead of security patches.

Morphisec researchers were first to investigate the attack. Kaspersky confirmed detections on the same day, January 20, 2026.[2]

By January 21, MicroWorld Technologies had contained the incident. But the damage was already spreading across South Asia.

The Security Software Paradox

Here's the problem with antivirus software: it requires the highest privileges on your system. Full access to files. Permission to monitor everything. The ability to terminate processes.

That's exactly what attackers want.

When you compromise an antivirus vendor's update server, you get:

  • A trusted delivery channel (users expect and accept updates)
  • Elevated system privileges
  • The ability to disable the very security tool meant to stop you
  • A user who won't get suspicious about their AV running code

eScan isn't the first. In 2024, the same company was hit: attackers exploited a vulnerability to sideload the GuptiMiner backdoor and crypto miners.[3]

What the Malware Did

Once installed, the malware got to work:

Killed Updates

Modified registry settings, altered the hosts file, and broke eScan's update mechanism. Even after removal, automatic patching won't work.

Bypassed Windows Security

Disabled Windows Antivirus Scan Interface (AMSI), the component that lets security tools inspect scripts before they run.

Hunted Other AV

Specifically looked for Kaspersky products on the system. Attackers wanted to know what else might detect them.

Established Persistence

Created scheduled tasks disguised as "CorelDefrag" in Windows\Defrag\ directories. Modified CONSCTLX.exe for backup access.

The payload ran three PowerShell scripts in sequence, each base64-encoded, with fallback mechanisms if one failed.[1] Multiple C2 servers ensured command-and-control access even if some got blocked.

Who Got Hit

Kaspersky's telemetry shows infections concentrated in South Asia:

  • India (primary target)
  • Bangladesh
  • Sri Lanka
  • Philippines

Hundreds of machines affected, both individuals and organizations.[2]

MicroWorld claims only a "small subset" of customers got the malicious update. Morphisec says all their eScan-running customers were targeted. The truth is probably somewhere in between, and we may never know the full scope.

The Response

MicroWorld detected the intrusion within an hour via internal monitoring and took immediate action:[4]

  • Isolated affected infrastructure within 1 hour
  • Shut down global update service for 8+ hours
  • Released patches to restore functionality

The catch: if you were infected, automatic updates no longer work. The malware broke that mechanism. You need manual intervention to clean up and then manually download the patch from eScan.

What to Do If You Use eScan

  1. Check for infection signs: Look for scheduled tasks named "CorelDefrag" or files in Windows\Defrag\ you don't recognize
  2. Review your hosts file: Check C:\Windows\System32\drivers\etc\hosts for unexpected entries blocking eScan domains
  3. Check registry: Look for modified eScan exception rules
  4. Reset credentials: Any accounts accessed from the infected machine should have passwords changed
  5. Contact eScan directly: Get the manual update/patch from them. Don't rely on automatic updates
  6. Consider your AV choice: Two supply chain attacks in two years is a pattern

The Bigger Picture

Software supply chain attacks are accelerating. In 2025, third-party vendors were involved in 30% of all breaches, double the prior year.

Antivirus software is a particularly attractive target because:

  • Users trust it implicitly
  • It has maximum system privileges
  • The update mechanism is designed to run code automatically
  • Attackers can disable the very tool meant to detect them

This won't be the last AV supply chain attack. The incentives are too good.

The Bottom Line

Your antivirus requires absolute trust. It has root access to everything. When that trust is violated, when the security tool becomes the attack vector, there's no second line of defense.

eScan users in South Asia learned this on January 20. The software protecting them delivered the malware instead.

Two takeaways: First, if you use eScan, check your system now and get the manual patch. Second, remember that any software you trust completely (especially security software) becomes a high-value target precisely because of that trust.

References

  1. Securelist - eScan Supply Chain Attack Technical Analysis
  2. Help Net Security - eScan AV Supply Chain Compromise
  3. SecurityWeek - eScan Antivirus Delivers Malware
  4. Check Point Research - Threat Intelligence Report