Proprietary 2026-01-20 · 1 day ·Persistence, Remote Access, Defense Evasion

eScan antivirus updates delivered GuptiMiner

Attackers used eScan's legitimate update infrastructure to ship a trojanized Reload.exe. The payload disabled updates, planted persistence, and contacted C2 infrastructure.

Story

On January 20, 2026, eScan customers received a malicious antivirus component through the product's legitimate update path. eScan's advisory said unauthorized access to one regional update server configuration placed an unauthorized file in the update distribution path for roughly two hours. Morphisec detected and blocked activity the same day, and Kaspersky later confirmed the supply-chain route.

The substituted file was Reload.exe, normally located at C:\Program Files (x86)\eScan\reload.exe. The attacker gave the binary a fake, invalid digital signature and made it run only from the expected Program Files path. Once launched, it initialized the CLR inside the process and loaded a small .NET executable derived from UnmanagedPowerShell.

The PowerShell chain first attacked the security product itself. It deleted or backed up selected eScan files, added broad antivirus exclusions, tried to map eScan update hosts to 2.3.4.0 in the hosts file, and changed database registry values. It wrote a debug log to C:\ProgramData\euapp.log and replaced CONSCTLX.exe with a persistent payload.

Persistence had two paths. One payload stored encoded PowerShell in HKLM\Software\E9F9EEC3-86CA-4EBE-9AA4-1B55EE8D114E and launched it through the scheduled task Microsoft\Windows\Defrag\CorelDefrag. Another ran through the replaced CONSCTLX.exe, kept the eScan GUI update date looking fresh, and could fetch RC4-encrypted shellcode from fallback C2 infrastructure. eScan isolated and rebuilt the affected infrastructure, rotated credentials globally, and told affected customers to run remediation tooling.

Affected Artifacts

Reload.exe

eScan update service · escanav.com · Binary Archive

Observed: 2026-01-20 to 2026-01-21
Compromised Versions: Unknown
Fixed: Not listed
Hashes: sha256:36ef2ec9ada035c56644f677dab65946798575e1d8b14f1365f22d7c68269860

sha256:674943387cc7e0fd18d0d6278e6e4f7a0f3059ee6ef94e0976fae6954ffd40dd

sha256:386a16926aff225abc31f73e8e040ac0c53fb093e7daf3fbd6903c157d88958c

+7 more
Evidence: distribution: escanav.com, mirror: securelist.com/escan-supply-chain-attack/118688, mirror: morphisec.com/blog/critical-escan-threat-bulletin, file: Reload.exe , +23 more

eScan advisory ESCAN-2026-001 said the unauthorized file was distributed from a single regional update server cluster for approximately two hours on January 20, 2026.
Kaspersky reported hundreds of encountered infection attempts, mostly in South Asia, including India, Bangladesh, Sri Lanka, and the Philippines.
Morphisec reported that eScan isolated the affected infrastructure and took the global update system offline for more than eight hours on January 21, 2026.

Incident Context

Motive: Remote Access Persistence
Attribution: Group
Cause: Compromised Infrastructure
Transitive: No
Actor: Third Party

External References

eScan Security Advisory ESCAN-2026-001download1.mwti.net
Threat Bulletin: Critical eScan Supply Chain Compromisemorphisec.com
Supply chain attack on eScan antivirus: detecting and remediating malicious updatessecurelist.com
eScan confirms update server breached to push malicious updatebleepingcomputer.com
Top antivirus hacked to push out a malicious update - find out if you're affectedtechradar.com

Source record: proprietary/escan/meta.yaml