Attackers compromised eScanβs update infrastructure to push a malicious update that replaced reload.exe and installed a persistent downloader on enterprise and consumer endpoints. The multi-stage payload blocked updates, established persistence, bypassed AMSI, and fetched additional components such as CONSCTLX.exe; MicroWorld isolated update servers, issued a patch, and advised impacted customers to contact them. #eScan #MicroWorldTechnologies #Reload.exe #CONSCTLX.exe #Morphisec #Kaspersky #UnmanagedPowerShell #AMSI
Keypoints
- Unauthorized access to a regional eScan update server allowed malicious updates to be distributed for about two hours on January 20, 2026.
- The legitimate reload.exe was replaced by a rogue, fake-signed binary that uses UnmanagedPowerShell and an AMSI bypass to execute Base64-encoded PowerShell scripts.
- The malware modifies HOSTS and Eupdate.ini, prevents product updates and automatic remediation, establishes persistence, and deploys CONSCTLX.exe plus additional PowerShell payloads.
- Victim validation checks a blocklist of installed software and processes (including security tools like Kaspersky) to avoid infecting analysis or protected environments.
- MicroWorld isolated affected servers, released a remediation patch, and urged impacted organizations to contact them; telemetry shows hundreds of attempted infections mainly in India, Bangladesh, Sri Lanka, and the Philippines.
Read More: https://thehackernews.com/2026/02/escan-antivirus-update-servers.html