Poisoned updates: the attack that exposes the fragility of the software supply chain

Earlier this month there was an incident that reremembers how fragile the software supply chain can be when a critical component - updates - ceases to be safe. The company behind the eScan antivirus confirmed that a server responsible for distributing updates was compromised and that, during a short window on 20 January 2026, an unauthorized package was sent to some customers that was later identified as malicious.

The attack took advantage of the upgrade infrastructure, not a direct failure in the antivirus engine according to the company itself. MicroWorld Technologies explained that the intrusion allowed to place a file on the update distribution route of a regional cluster, so that the teams that consulted that server over an interval of approximately two hours received the altered binary.

The company claimed that it detected the anomaly internally on the same January 20 thanks to monitoring and customer reports, that they isolated and rebuilt the infrastructure affected in hours and that they rotated the relevant credentials. eScan also published a warning and made available a remediation update for affected customers, aimed at reversing unauthorized changes and restoring the ability to receive definitions and patches.

However, the publication of the finding was not univocal. The security firm Morphyec made public a technical analysis in which it describes the malicious activity observed in endpoints and associates it with updates delivered by eScan during the same time strip. The media shock between the fornecer and the research firm on who first discovered and reported the incident shows how quickly such incidents are politicized and how important transparency in communication is. To read Morphec's technical report, you can see his newsletter published on his blog: Morphyec - Threat bulletin.

According to Morphyec's analysis, the malicious package contained a modified version of a legitimate eScan component known as Reload.ex. Although that modified binary was signed with what looked like eScan certification, the signature was invalid as it was verified by Windows and by analysis services such as VirusTotal. Morphisec attributes to that piece the ability to persist in the system, run remote instructions, alter the HOSTS file to block the legitimate update and communicate with control and control servers (C2) to download later loads.

The technical report includes a list of domains and IP addresses associated with the observed traffic; for safety reasons and to avoid accidental connectivity, these indicators are often shared in osfuscated format in the analysis. The final load that was documented in multiple cases was identified as CONCTLX.exe, an executable that acts as a back door and persistent discharge manager. Morphisec also documented that malicious samples created programmed tasks to ensure continuity in startup, with names that seek to pass unnoticed.

eScan published a remediation update that, according to the company, automates the correction of non-system modifications, restores the update functionality and verifies the correct restoration, requiring a standard reboot at the end of the process. In addition, both the company and the researchers recommend blocking access to the identified command and control servers to mitigate any additional communication with the attacking infrastructure.

The underlying problem is trust in the supply chain. An antivirus should defend us, but if the channel that distributes its own updates is compromised, that same mechanism can become an attack tool. This is not the first time that something like this has happened: the intrusions focused on updating mechanisms have already been exploited by persistent actors in recent years, and the main learning is that safety must extend beyond the product to its entire delivery infrastructure. For context on previous supply chain incidents, the SolarWinds crisis and its analyses remain required reading, for example in Microsoft analysis: Microsoft - Solorigate analysis.

For managers and users, what practical steps make sense now? First, run the official eScan remediation tool if the system was affected; second, manually verify indicators such as the HOSTS file and scheduled tasks, and review the list of signed processes and binaries that show invalid signatures. It is also prudent to block the identified C2 addresses and, in corporate environments, to activate a complete forensic response to determine scope and possible side movements. Morphisec and eScan have suggested blocking the observed C2 and reviewing the integrity of the system; the Morphisec newsletter provides more technical details and relevant hashes in its publication.

This incident replaces on the table the need for infrastructure segmentation, frequent rotation of credentials, comprehensive monitoring of the updating routes and, above all, robust integrity tests that make it difficult to replace legitimate components with other altered ones. The affected signature insists that the problem was not a product vulnerability itself, but an unauthorized access to the configuration of a regional update server; the difference matters, but the result for the customer may be the same: execution of unwanted code on your machines.

No less relevant is communication with customers: eScan claims to have proactively contacted the affected users while delineating the mediation, and rejects the narrative that the customers were uninformed. In situations such as this, public perception and effective crisis management are as important as technical containment, because trust is one of the most fragile assets of a security company.

If you want to deepen the technical evidence published, you can check Morphyec's analysis on your blog and the files uploaded to static analysis services such as VirusTotal (CONSCTLX.exe). To follow the media coverage and official statements, specialized media such as BleepingComputer often quickly update when the case is developing.

In the end, the lesson for companies and users is clear: to rely on a product is not enough; to monitor how its parts are distributed, to demand transparency and to have operational and response plans that consider the possibility that the update channel can be manipulated. Modern defense is a combination of product, process and continuous surveillance, and when one of those layers fails, the attacker can turn the protection tool into its preferred vector.