In January 2026, attackers breached eScan Antivirus’s regional update infrastructure and weaponised its trusted update mechanism to push malicious payloads directly onto customer endpoints.
For most organisations, this represents a fundamental betrayal of trust. For the Talanos Security Operations Centre (SOC), it is precisely the scenario we train for - a threat that bypasses perimeter defences by masquerading as a legitimate software update. This paper covers the technical anatomy of the breach as it affected one of our eScan customers, and how Talanos’s threat hunting and incident response kept them protected.
The Anatomy of the Breach
On 20 January 2026, during a two-hour window, attackers gained unauthorised access to an eScan regional update cluster. Instead of delivering a security definition update, the server pushed an unauthorised, malicious file.
According to eScan’s official advisory, affected systems exhibited the following indicators:
|
Indicator |
Description |
|
Update Service Failures |
Notifications that the antivirus could not update |
|
Hosts File Modification |
Entries redirecting eScan domains to a fake IP (4.5.6.0), severing vendor communication |
|
Tampered Executables |
Legitimate components such as CONSCTLX.EXE replaced with malicious backdoors |
|
Registry Persistence |
Debugger keys added to hijack legitimate eScan processes |
External analysis by Morphisec and BleepingComputer confirmed that the malicious file was a tampered version of Reload.exe. Although it appeared to bear eScan’s digital signature, that signature was invalid. Its purpose was multi-stage - establish persistence, modify the hosts file to block remediation, and beacon out to command-and-control (C2) infrastructure.
Why This Matters
Supply chain attacks against security vendors can carry outsized consequences.
Erosion of trust. When antivirus updates themselves become a delivery mechanism for malware, organisations lose confidence in a foundational control. That doubt is difficult to recover.
Operational paralysis. A compromised endpoint security tool can trigger widespread device unavailability, data breaches, and the costly exercise of reimaging entire device fleets.
Lateral movement risk. The backdoor installed by this attack (a malicious replacement for CONSCTLX.exe) does not stay contained to a single machine. In a standard eScan installation, CONSCTLX.exe is the core service component responsible for real-time protection and scanning coordination. By replacing it with a backdoor running at elevated privileges - while preserving the original filename and timestamps - attackers gain a persistent beachhead from which they can:
- Maintain persistent communication with C2 servers
- Download additional payloads such as ransomware or credential stealers
- Scan the internal network and move laterally to high-value targets
Talanos in Action: Rapid Response for an eScan Client
While this incident threatened many organisations worldwide, the Talanos SOC detected, investigated, and neutralised the threat for its eScan clients before further damage could occur.
Phase 1: Initial Detection - Anomaly Hunting
Our SOC team identified suspicious activity across two endpoints, flagged by three distinct signals:
- Unexpected PowerShell execution: Scripts running with administrative privileges, with no legitimate business justification.
- Registry modifications: Debugger keys created under Image File Execution Options for multiple eScan executables.
- Hosts file tampering: The system hosts file had been modified to block communication with eScan’s update servers.
Phase 2: Deep Investigation - How Did the Script Arrive?
The PowerShell script was delivered entirely through eScan’s own update infrastructure - it was never manually executed by an attacker. According to Kaspersky’s analysis, the attack chain unfolded as follows:
- Infrastructure compromise: Attackers gained unauthorised access to an eScan regional update server.
- Component replacement: The legitimate reload.exe (an eScan update utility) was swapped for a heavily obfuscated malicious version.
- Fake signature: The malicious file bore a forged digital signature copied from a legitimate eScan component (EncDec.dll), making it appear authentic.
- Automatic execution: When eScan ran its normal Commit_Updates routine, it launched the compromised reload.exe.
- PowerShell injection: The malicious reload.exe initialised the Common Language Runtime (CLR) inside its own process and loaded a modified Unmanaged PowerShell tool to execute PowerShell code, bypassing AMSI entirely.
Forensic Findings
Upon isolating the affected devices, our analysts conducted a full forensic review. The malicious PowerShell script was captured in its entirety via Script Block Logging (Event ID 4104). The specific payload is withheld from this paper for security reasons; however, the observed behaviour was thoroughly documented:
|
Observed Action |
Technical Detail |
|
Target identification |
Script checked for CONSCTLX.EXE in C:\Program Files (x86)\eScan\ |
|
Integrity check |
MD5 hash of the existing file calculated to confirm the targeted version |
|
Process termination |
Running consctlx process stopped to allow file replacement |
|
File replacement |
Original executable renamed to esnews.bak |
|
Payload deployment |
Embedded Base64 payload decoded and GZIP-decompressed |
|
Timestamp preservation |
Timestamps on new CONSCTLX.EXE set to match the original, avoiding detection |
|
Hosts file modification |
Entries added to C:\Windows\System32\drivers\etc\hosts, redirecting eScan update servers to fake IP 4.5.6.0 |
|
Registry persistence |
Keys created under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options for espatch.exe variants, with Debugger value set to dllhost.exe |
|
Status tracking |
Status information stored in the registry, indicating structured, multi-stage deployment logic |
The script also checked for administrative privileges before execution and adjusted its behaviour accordingly - confirming the malware was engineered for long-term persistence, cross-reboot survival, and follow-on action.
Behavioural Reconstruction (Illustrative Example)
The following is a reconstruction based on observed behaviour. The actual script captured via Event ID 4104 is not published.
Phase 3: Intelligence Correlation
Leveraging open-source intelligence, Talanos SOC correlated observed endpoint activity with the confirmed eScan supply chain breach:
|
Artifact |
Details |
|
Malicious file |
reload.exe — SHA256: 674943387CC7E0FD18D0D6278E6E4F7A0F3059EE6EF94E0976FAE6954FFD40DD |
|
Execution chain |
TrayIcoc.exe → Commit_Updates /SERVICE → reload.exe |
|
Date/time correlation |
Execution logs matched the breach window (20 January 2026) |
|
C2 infrastructure |
vhs.delrosal.net, tumama.hns.to, 185.241.208.115 |
Outcome of Compromise
Once the malicious components were in place:
- The antivirus was rendered partially ineffective. The malware modified Eupdate.ini to display a recent update date in the eScan GUI, concealing from the user that updates had been silently blocked.
- Security definition updates were disabled via hosts file modification, and patch executables were blocked by Image File Execution Options registry keys.
- CONSCTLX.exe was replaced with a malicious executable that served three purposes: (1) persistent execution under a trusted process name to evade detection, (2) neutralization of core AV protection while maintaining the appearance of normal operation, and (3) a fallback persistence layer via the scheduled task CorelDefrag should primary persistence be removed.
Attribution: No threat actor has been publicly attributed to this attack at the time of writing. However, the level of preparation - deep familiarity with eScan’s internals, custom implants, and targeting of South Asian geographies - points to a sophisticated, well-resourced actor.
Capabilities enabled: Once installed, the malicious components were designed to maintain persistent C2 communication, download follow-on payloads (ransomware, infostealers), enable lateral movement, and exfiltrate sensitive data.
Phase 4: Recommendations & Resolution
We provided the following clear, actionable guidance to the customer:
- Immediate isolation: Affected devices were quarantined to prevent lateral spread.
- Vendor escalation: The customer was directed to eScan for the official remediation patch.
- Eradication: eScan was removed from affected devices and a full scan performed using an alternative trusted antivirus solution.
- Verification: Devices were onboarded into Microsoft Defender for full visibility.
- Network blocking: Firewall rules were implemented to block identified C2 infrastructure.
IOC Blocklist (Recommended for Firewall/EDR)
Conclusion
The eScan incident is a clear signal: adversaries are increasingly targeting the software supply chain, using trusted vendor mechanisms as their delivery system. Endpoint protection alone is no longer sufficient. Organisations need continuous threat hunting, forensic capability, and fast incident response - exactly what the Talanos SOC provides.
The Talanos SOC detected this threat through behavioural analysis rather than signature matching, demonstrating the value of an approach that looks for what an attack does, not just what it looks like.
References
1. eScan Security Advisory ES-2026-001 — MicroWorld Technologies, January 2026
2. “eScan confirms update server breached to push malicious update” — BleepingComputer, 28 January 2026
3. Talanos SOC Incident Response Logs — Case: eScan Supply Chain Compromise (2026-001)
4. Kaspersky Securelist: eScan Supply Chain Attack — https://securelist.com/escan-supply-chain-attack/118688/
5. Morphisec Threat Bulletin: Critical eScan Supply Chain Compromise — https://www.morphisec.com/blog/critical-escan-threat-bulletin/
