Executive Summary

A sophisticated supply chain attack has recently compromised the integrity of eScan Antivirus, a flagship product of MicroWorld Technologies. Threat actors successfully infiltrated a regional update server, leveraging it to distribute a maliciously modified version of the reload.exe component to unsuspecting customers. This attack demonstrates the evolving threat landscape, where even trusted security vendors can become unwitting vectors for advanced malware. The campaign, first detected in January 2026, primarily impacted organizations and individuals in South Asia, with hundreds of confirmed infections. The malicious update chain featured advanced evasion techniques, including AMSI bypass, anti-analysis routines, and multi-stage payload delivery, underscoring the critical need for robust third-party risk management and vigilant monitoring of security software supply chains.

Threat Actor Profile

The actors behind the eScan Antivirus supply chain attack have not been publicly attributed to any known Advanced Persistent Threat (APT) group as of this writing. However, the technical sophistication of the operation—demonstrated by the compromise of a regional update server, the use of a fake code-signing certificate, and the deployment of multi-stage, obfuscated payloads—suggests a well-resourced and highly skilled adversary. The attackers exhibited deep knowledge of eScan’s internal architecture and update mechanisms, as well as a clear intent to evade detection by both endpoint security solutions and human analysts. The campaign’s focus on South Asian targets, combined with the infrastructure and TTPs (Tactics, Techniques, and Procedures) observed, is consistent with the operational patterns of state-sponsored or highly organized cybercriminal groups, though definitive attribution remains pending.

Technical Analysis of Malware/TTPs

The attack began with unauthorized access to a regional eScan update server, which was then used to distribute a trojanized reload.exe binary. This executable, placed in the default installation path (C:\Program Files (x86)\escan\reload.exe), was signed with a forged certificate (serial: 68525dadf70c773d41609ff7ca499fb5) to evade basic integrity checks.

Upon execution, the malicious reload.exe performed an environment check to ensure it was running from the expected directory, exiting if not. It then initialized the Common Language Runtime (CLR) and loaded a .NET assembly (SHA1: eec1a5e3bb415d12302e087a24c3f4051fca040e), which is a modified version of the open-source UnmanagedPowerShell project. This assembly was specifically altered to bypass the Antimalware Scan Interface (AMSI), a core Windows security feature.

The .NET loader executed a PowerShell script containing three Base64-encoded payloads:

The first payload tampered with eScan’s own files, deleting critical executables such as tvqsapp.exe, creating ZIP backups in C:\ProgramData\esfsbk, and modifying registry entries to add broad antivirus exceptions. It also altered the system’s hosts file to block legitimate eScan update domains by mapping them to the non-routable address 2.3.4.0, effectively preventing further legitimate updates. Additionally, it replaced the CONSCTLX.exe component with a persistent, malicious version and dropped a debug log at C:\ProgramData\euapp.log.

The second payload implemented an AMSI bypass by patching the AmsiScanBuffer function in memory, ensuring that subsequent PowerShell activity would not be scanned or blocked by endpoint security solutions.

The third payload performed victim validation, checking for the presence of analysis tools or competing security products (notably including Kaspersky). If no blocklisted tools were detected, it wrote a persistent PowerShell payload to the registry and created a scheduled task named Microsoft\Windows\Defrag\CorelDefrag to ensure daily execution.

Persistence was further reinforced by the malicious CONSCTLX.exe, which not only launched the PowerShell payload but also manipulated the eScan GUI to display a falsified recent update date, masking the compromise from end users. If the scheduled task was deleted, CONSCTLX.exe would recreate it, ensuring continued persistence.

Command and control (C2) communications were established via HTTPS GET requests to a set of attacker-controlled domains, including vhs.delrosal[.]net, tumama.hns[.]to, blackice.sol-domain[.]org, codegiant.io, csc.biologii[.]net, and airanks.hns[.]to. System information was exfiltrated using RC4 encryption and Base64 encoding, embedded in HTTP cookies. The C2 infrastructure was capable of delivering additional PowerShell scripts or RC4-encrypted shellcode for further exploitation.

Exploitation in the Wild

The attack was first observed in the wild in January 2026, with hundreds of infections reported, predominantly in India, Bangladesh, Sri Lanka, and the Philippines. Both individual users and organizations were affected, with no evidence of sector-specific targeting. The attackers’ use of anti-analysis techniques, such as blocklisting security tools and employing AMSI bypass, allowed the malware to evade detection for several days. The campaign was rapidly detected and contained following coordinated efforts by eScan, third-party security vendors, and threat intelligence researchers. No evidence of kernel-mode payloads or advanced rootkits has been found; all observed activity was confined to user-mode processes.

Victimology and Targeting

The primary victims of this campaign were eScan Antivirus customers in South Asia, including both private individuals and organizations. The infection vector was indiscriminate, relying on the compromised update server to push the malicious payload to all endpoints configured to receive updates from that region. There is no indication of targeting based on industry vertical, organization size, or specific high-value entities. The broad distribution method and lack of tailored payloads suggest the attackers were interested in establishing widespread initial access, potentially for future monetization or espionage activities.

Mitigation and Countermeasures

Immediate mitigation steps include reviewing all scheduled tasks for the presence of CorelDefrag, inspecting the system hosts file for unauthorized mappings of eScan domains to 2.3.4.0, and searching for the presence of C:\ProgramData\euapp.log and C:\ProgramData\esfsbk. Registry keys such as HKLM\Software\E9F9EEC3-86CA-4EBE-9AA4-1B55EE8D114E and HKLM\SOFTWARE\WOW6432Node\MicroWorld\eScan for Windows\ODS (with the value WTBases_new set to 999) should be checked for unauthorized modifications.

Network monitoring should be implemented to detect and block outbound connections to the known C2 domains: vhs.delrosal[.]net, tumama.hns[.]to, blackice.sol-domain[.]org, codegiant.io, csc.biologii[.]net, and airanks.hns[.]to. All endpoints should be scanned for the listed malicious file hashes, including the trojanized reload.exe and CONSCTLX.exe.

eScan has released a remediation utility to remove the malware and restore antivirus functionality, which is available through their official support channels. Organizations are strongly advised to reset credentials associated with the affected update infrastructure and to conduct a thorough review of third-party software update mechanisms. Enhanced monitoring of endpoint security logs, implementation of application whitelisting, and regular validation of software update sources are recommended as long-term countermeasures.

References

Kaspersky Securelist: Supply chain attack on eScan antivirus (https://securelist.com/escan-supply-chain-attack/118688/), SecurityWeek: eScan Antivirus Delivers Malware in Supply Chain Attack (https://www.securityweek.com/escan-antivirus-delivers-malware-in-supply-chain-attack/), Morphisec: Critical eScan Threat Bulletin (https://www.morphisec.com/blog/critical-escan-threat-bulletin/), Infosecurity Magazine: eScan Antivirus Supply Chain Breach Delivers Signed Malware (https://www.infosecurity-magazine.com/news/escan-antivirus-breach-delivers/), IBM X-Force OSINT Advisory (https://exchange.xforce.ibmcloud.com/osint/guid:b3aed255317d4523803e39f180bc3488), Reddit: eScan Antivirus Compromised (https://www.reddit.com/r/pwnhub/comments/1qs5tl3/escan_antivirus_compromised_malware_injection/)

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with advanced tools to continuously monitor, assess, and mitigate cyber risks across their entire digital supply chain. Our platform leverages real-time intelligence and automated workflows to help customers identify vulnerabilities, ensure compliance, and respond rapidly to emerging threats. For questions or further assistance, please contact us at ops@rescana.com.