The antivirus update that became a weapon of a supply chain attack

The eScan antivirus update infrastructure, developed by the Indian firm MicroWorld Technologies, was compromised and used to distribute a malicious charger to both corporate and domestic equipment. In short, the attackers were able to insert a harmful update into a channel that millions of users trust to receive patches, making the incident a particularly dangerous example of a supply chain attack.

The intrusion was detected on 20 January 2026 and, according to the company itself, it affected a subset of customers who received automatic updates from a regional cluster over a period of just two hours. MicroWorld isolated the compromised servers, which remained out of service for more than eight hours, and has published a correction to undo the changes caused by the malicious update. Your formal release is available in the technical bulletin they published on January 22: eScan Security Advisory (PDF).

The first signal was spread by the Morphec research team, which described how a legitimate update was used to distribute a malicious executable called regoad.exe that acts as a launcher. The analysis is available at: Morphyec: Critical eScan threat bulletin. Independent researchers, including Kaspersky, have deepened the techniques used and the mechanics of the attack: their technical report explains how the altered binary replaces legitimate components and prevents the product from receiving subsequent updates, among other actions published by Kaspersky.

In technical terms, the legitimate regoad.exe file (usually located in C:\ Program Files (x86)\ eScan\ regoad.exe) was replaced by a malicious version. This fraudulent file is signed with a false digital signature and contains code capable of running PowerShell embedded within native processes by modifying the UnmanagedPowerShell project. The attackers added a capacity to circumvent the Windows anti-malware scanning interface (AMSI), making it difficult to detect the system's native defenses. For those who want to review the AMSI documentation, Microsoft keeps it here: Antimalware Scan Interface (AMSI).

The malicious behavior was deployed in several stages. The malicious relaad.exe runs three encoded charges on Base64 that, among other things, manipulate eScan's own installation to prevent new updates and run local checks. These checks serve to decide whether a team is a viable objective: they analyze installed programs, running processes and services, comparing everything against a hard list that includes analysis tools and safety solutions - if they detect certain products, attackers abort the infection to avoid research environments.

If the equipment exceeds these tests, the loader contacts with assailant-controlled servers and downloads two components: a binary called CONSCTLX.exe and a second PowerShell load that is configured to be executed regularly, for example by scheduled tasks, ensuring persistence. The CONCTLX.exe component also modifies internal update marks (writes the current date in C:\ Program Files (x86)\ eScan\ Eupdate.ini) to give the appearance that the antivirus continues to work and receive updates normally.

In addition to preventing updates, the malicious code can alter the HOSTS file to block communications with legitimate servers, complicating the automatic product restoration. You can check the hashes and public samples that the researchers have uploaded to VirusTotal, such as the entry of regoad.exe and the entry of CONSCTLX.exe: Reload.exe in VirusTotal and CONCTLX.exe in VirusTotal.

Regarding the scope, Kaspersky indicates that his telemetry detected attempts to infect hundreds of teams, both personal and business, mainly concentrated in India, Bangladesh, Sri Lanka and the Philippines. This geographical distribution suggests that the campaign was directed or at least spread more intensively in the region where the tool has the most presence.

MicroWorld does not publicly detail which of its regional servers was compromised or the exact initial access mechanism, but the expert analysis suggests that the attackers had to study in depth the eScan update architecture to successfully manipulate it. It is not trivial to understand and exploit a process of updating an antivirus product, which underlines the sophistication needed to run this kind of attack on the supply chain.

The gravity of the incident lies in the confidence inherent in security updates. When the distribution channel of an antivirus is corrupted, the damage potential is multiplied: the software you should protect ends up becoming an attack vector. This is why experts describe these cases as particularly worrying and unusual in the usual cyberthreat landscape.

For organizations and administrators, the immediate recommendation is to contact MicroWorld to obtain official correction and follow the remediation guidelines that the manufacturer has published. At the same time, it is advisable to verify commitment signals related to the behaviors described above: presence of modified executables in the eScan folder, changes in the Eupdate.ini file, unexpected entries in the HOSTS file, suspicious programmed tasks and processes that run PowerShell with coded loads. Perform a forensic analysis, isolate affected machines and, if appropriate, restore from clean copies are prudent actions while the complete cleaning is confirmed.

The case of eScan brings a critical lesson back to the fore: security cannot depend on a single element of trust. Organizations should combine update integrity controls, behavior monitoring, network segmentation and digital signature verification to mitigate the risk of legitimate components being used against them. The industry as a whole also needs to improve transparency and verification mechanisms for software supply chains.

In order to deepen technical findings and official recommendations, the Kaspersky analysis can be found in Securelist, Morphisec's notice in your blog and the MicroWorld statement on its Official newsletter. Keeping informed and acting quickly remains the best defence against such threats.