TL;DR: On January 20, 2026, attackers compromised an eScan antivirus update server and pushed malware to users in India, Bangladesh, Sri Lanka, and the Philippines. The legitimate antivirus update channel delivered a fake-signed malicious file instead of a security patch. The malware disabled updates, bypassed Windows security, and established remote access. MicroWorld Technologies (eScan's maker) shut down their global update system for 8+ hours. If you use eScan, you need to manually check your system. Automatic updates can't fix this one.
What Happened
Attackers gained access to an eScan regional update server and swapped out a legitimate file (reload.exe) with a malicious version.[1]
The file carried a fake digital signature. When eScan users ran their normal automatic updates, they downloaded malware instead of security patches.
Morphisec researchers were first to investigate the attack. Kaspersky confirmed detections on the same day, January 20, 2026.[2]
By January 21, MicroWorld Technologies had contained the incident. But the damage was already spreading across South Asia.
The Security Software Paradox
Here's the problem with antivirus software: it requires the highest privileges on your system. Full access to files. Permission to monitor everything. The ability to terminate processes.
That's exactly what attackers want.
When you compromise an antivirus vendor's update server, you get:
- A trusted delivery channel (users expect and accept updates)
- Elevated system privileges
- The ability to disable the very security tool meant to stop you
- A user who won't get suspicious about their AV running code
eScan isn't the first. In 2024, the same company was hit: attackers exploited a vulnerability to sideload the GuptiMiner backdoor and crypto miners.[3]
What the Malware Did
Once installed, the malware got to work:
Killed Updates
Modified registry settings, altered the hosts file, and broke eScan's update mechanism. Even after removal, automatic patching won't work.
Bypassed Windows Security
Disabled Windows Antivirus Scan Interface (AMSI), the component that lets security tools inspect scripts before they run.
Hunted Other AV
Specifically looked for Kaspersky products on the system. Attackers wanted to know what else might detect them.
Established Persistence
Created scheduled tasks disguised as "CorelDefrag" in Windows\Defrag\ directories. Modified CONSCTLX.exe for backup access.
The payload ran three PowerShell scripts in sequence, each base64-encoded, with fallback mechanisms if one failed.[1] Multiple C2 servers ensured command-and-control access even if some got blocked.
Who Got Hit
Kaspersky's telemetry shows infections concentrated in South Asia:
- India (primary target)
- Bangladesh
- Sri Lanka
- Philippines
Hundreds of machines affected, both individuals and organizations.[2]
MicroWorld claims only a "small subset" of customers got the malicious update. Morphisec says all their eScan-running customers were targeted. The truth is probably somewhere in between, and we may never know the full scope.
The Response
MicroWorld detected the intrusion within an hour via internal monitoring and took immediate action:[4]
- Isolated affected infrastructure within 1 hour
- Shut down global update service for 8+ hours
- Released patches to restore functionality
The catch: if you were infected, automatic updates no longer work. The malware broke that mechanism. You need manual intervention to clean up and then manually download the patch from eScan.
What to Do If You Use eScan
- Check for infection signs: Look for scheduled tasks named "CorelDefrag" or files in Windows\Defrag\ you don't recognize
- Review your hosts file: Check
C:\Windows\System32\drivers\etc\hostsfor unexpected entries blocking eScan domains - Check registry: Look for modified eScan exception rules
- Reset credentials: Any accounts accessed from the infected machine should have passwords changed
- Contact eScan directly: Get the manual update/patch from them. Don't rely on automatic updates
- Consider your AV choice: Two supply chain attacks in two years is a pattern
The Bigger Picture
Software supply chain attacks are accelerating. In 2025, third-party vendors were involved in 30% of all breaches, double the prior year.
Antivirus software is a particularly attractive target because:
- Users trust it implicitly
- It has maximum system privileges
- The update mechanism is designed to run code automatically
- Attackers can disable the very tool meant to detect them
This won't be the last AV supply chain attack. The incentives are too good.
The Bottom Line
Your antivirus requires absolute trust. It has root access to everything. When that trust is violated, when the security tool becomes the attack vector, there's no second line of defense.
eScan users in South Asia learned this on January 20. The software protecting them delivered the malware instead.
Two takeaways: First, if you use eScan, check your system now and get the manual patch. Second, remember that any software you trust completely (especially security software) becomes a high-value target precisely because of that trust.
References
Published: February 3, 2026