MicroWorld Technologies confirmed that a regional eScan update server configuration was breached and an unauthorized, malicious update was distributed to customers who downloaded updates during a two-hour window on January 20, 2026. Security firm Morphisec analyzed the incident (identifying a modified Reload.exe and a backdoor CONSCTLX.exe) while eScan says it isolated and rebuilt affected infrastructure, rotated credentials, provided remediation, and disputes aspects of Morphisecβs disclosure. #eScan #CONSCTLX
Keypoints
- An eScan regional update server configuration was breached, allowing an unauthorized file into the update distribution path.
- The malicious update was delivered during a two-hour window on January 20, 2026, to customers using the affected regional cluster.
- Morphisec reports a modified Reload.exe with an invalid signature that enabled persistence, HOSTS file modifications, and downloads of a backdoor named CONSCTLX.exe.
- eScan says it isolated and rebuilt the infrastructure, rotated authentication credentials, issued a remediation update, and notified impacted customers.
- Both parties recommend blocking observed command-and-control servers and running eScanβs remediation to restore proper update functionality.