Top antivirus hacked to push out a malicious update - find out if you're affected

News
By published

Popular antivirus program eScan used as a malware launchpad

Main
  • Users report issues with eScan antivirus
  • Internal investigation found threat actor infiltrated systems
  • Update servers were used to send out malware, so users warned to be on their guard

Popular antivirus program eScan was hijacjed to use as a malware launchpad, experts have warned.

MicroWorld Technologies, the company behind eScan, recently began receiving customer reports on issues surrounding the antivirus program.

After an internal investigation, the company determined that an unidentified threat actor broke into one of the update servers and used it to distribute a software update laced with malware.

Delivering a backdoor

“Unauthorized access to one of our regional update server configurations resulted in an incorrect file (patch configuration binary/corrupt update) being placed in the update distribution path,” the company told BleepingComputer.

“This file was distributed to customers downloading updates from the affected server cluster during a limited timeframe on January 20, 2026.”

That timeframe, according to the same source, is roughly two hours. We don’t know exactly how many customers downloaded the update during that window, but MicroWorld Technologies said that the affected infrastructure was isolated and credentials refreshed. The company also reached out to affected customers to help with remediation efforts.

The eScan product itself was not tampered with, and victims seem to be limited to a specific regional cluster.

Security researchers from Morphisec, who analyzed the malicious payload, said it was a multi-stage malware designed for enterprise and consumer endpoints. It is named CONSCTLX, and acts as a backdoor and persistent downloader, allowing threat actors to remain on the device, run commands, modify the Windows HOSTS file, and connect to the C2 infrastructure for additional payloads.

At this time, it is unknown who was behind the attack, but BleepingComputer reminds that back in 2024, North Korean cybercriminals were seen exploiting the update mechanism in eScan to infect corporate networks with various backdoors.

MicroWorld Technologies does not reveal how many customers use eScan, other than stating that it has helped “millions” so far.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.