BLUF

 Attackers compromised a regional update server of eScan Antivirus (MicroWorld Technologies) to distribute a persistent downloader disguised as a legitimate software update.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by the trojanized eScan antivirus update distributed via a compromised update server, the financial impact extends well beyond malware cleanup, driven by endpoint scale, incident duration, and trust degradation in core security tooling.

·       Low-end total cost: $450K – $900K

o   (limited endpoint exposure, rapid detection, no secondary payload execution)

·       Typical expected range: $1.8M – $4.2M

o   (enterprise-wide endpoint exposure, staged remediation, moderate downtime)

·       Upper-bound realistic scenarios: $6.5M – $12M

o   (delayed discovery, secondary backdoors deployed, regulatory scrutiny)

Key Cost Drivers

·       Number of endpoints receiving the compromised update package

·       Time to detection before stage-two payload execution

·       Requirement to reimage systems versus in-place remediation

·       Disruption caused by disabling or replacing endpoint protection tooling

·       Regulatory reporting thresholds triggered by persistence or C2 activity

Targeted Sectors

·       Enterprise endpoints

·       Consumer endpoints

Countries Targeted

·       Global

·       India

Date of First Reported Activity

·       January 20, 2026

Date of Last Reported Activity Update

·       January 29, 2026

APT Groups

·       Not known at this time

Criminal Organizations

·       Not known at this time

IOCs

Command and control servers reportedly observed

·       hxxps://vhs.delrosal.net/i

·       hxxps://tumama.hns.to

·       hxxps://blackice.sol-domain.org

·       hxxps://codegiant.io/dd/dd/dd.git/download/main/middleware.ts

·       504e1a42.host.njalla.net

·       185.241.208.115

·       Filename

o   Reload.exe (trojanized version).

·       Malicious Accounts

o   cloud-noc@mail[.]io

o   cloud-init@mail[.]io (linked to related Fortinet activity).

Host-Based Persistence & Behavioral Indicators

·       Scheduled Tasks

o   Suspicious entries located under Windows\Defrag\, often disguised as Windows defragmentation tasks.

·       Registry Keys

o   Suspicious registry keys with GUID-based names containing encoded data.

o   Modifications to eScan registry settings to disable the update service.

·       Digital Certificate

o   Payloads were signed with a stolen or compromised eScan code-signing certificate (though some signatures were reported as invalid).

·       Service Failures

o   "Update service failure" or "Update unavailability" popups on client machines.

Tools Used

·       Trojanzied update packages

·       Persistent downloaders.

Malware Names

·       Reload.exe (modified)

·       Persistent downloader

Malware Samples

Reload.exe

SHA256

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Malware Family

·       Multi-stage Backdoor and Downloader

Known Decoding Key

·       While specific encryption keys for the payload have not been publicly listed in initial bulletins, the malware utilizes an invalid code-signing certificate originally belonging to MicroWorld (eScan) to bypass trust mechanisms.

Verdict

·       Critical Malicious / Supply Chain Attack

Primary Objectives

Persistence

·       Establish long-term access via Windows Defragmentation job-spoofing and registry keys.

Anti-Remediation

·       Modify the Windows HOSTS file and eScan registry to block remote updates, preventing the antivirus from receiving legitimate patches

Payload Delivery

·       Act as a stage-one loader for more advanced payloads like the CONSCTLX.exe backdoor.

Behavior Analysis

Execution

·       Replaces the legitimate 32-bit Reload.exe during the update process.

Evasion

·       Uses valid-looking (but invalid/revoked) certificates and disguises itself as legitimate system tasks.

C2 Communication

·       Connects to domains such as vhs.delrosal.net, tumama.hns.to, and blackice.sol-domain.org to fetch stage-two payloads.

CONSCTLX.exe

sha256

8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92

Malware Family

·       Classified as a Multi-stage Trojan/Backdoor involving downloaders and 64-bit remote access tools.

Known Decoding Key

·       Currently not publicly disclosed in technical bulletins. The malware primarily uses stolen or compromised eScan digital certificates to appear legitimate and bypass trust mechanisms.

Verdict

·       Malicious / High Risk.

o   Confirmed by MicroWorld Technologies (eScan) and third-party labs like Morphisec as a supply chain compromise.

Primary Objectives

Remote Access

·       Deploying a 64-bit backdoor for full command-and-control over the host.

Anti-Remediation

·       Modifying the Windows hosts file and registry settings to block the system from reaching legitimate update servers, preventing automated patches.

Persistence

·       Utilizing Windows Defragmentation (WindowsDefrag) job-spoofing tasks and specific registry keys to maintain a presence after reboot.

Behavioral Analysis

Delivery

·       Distributed via eScan's legitimate update mechanism during a specific two-hour window on January 20, 2026.

Sideloading

·       Once the package is unpacked, it often uses DLL side-loading with clean binaries to execute shellcode and intermediary loaders.

Infrastructure Tampering

·       Actively alters security-related registry keys and hijacks the Reload.exe component to facilitate the attack chain.

TTPs

Initial Access & Execution

·       T1195.002 Supply Chain Compromise Compromised Software Dependencies

o   Attackers breached eScan's regional update servers to distribute malicious updates to customers.

·       T1584.005 Compromise Infrastructure: Update Server

o   Adversaries compromised the legitimate update infrastructure of the antivirus vendor.

·       T1553.002  Subvert Trust Controls: Code Signing

o   The malicious updates were digitally signed with a stolen or compromised eScan certificate, allowing them to appear legitimate.

·       T1204.002 User Execution: Malicious File

o   The malicious code was delivered via an automated "Reload.exe" update component.

·       T1543.003  Create or Modify System Process Windows Service

o   The malware maintained persistence by creating scheduled tasks, often disguised as legitimate system maintenance tasks like "CorelDefrag".

·       T1071.001 Application Layer Protocol Web Protocols

o   The malware used HTTP/HTTPS to connect to command-and-control (C2) infrastructure.

·       T1562.001 Impair Defenses: Disable or Modify Tools

o   The malware modified the Windows HOSTS file and tampered with eScan registry settings to block future updates and prevent remediation.

·       T1110  Brute Force

o   Potentially used to gain access to the update server

·       T1059  Command and Scripting Interpreter

o   Used to drop and execute the 64-bit backdoor

Persistence & Defense Evasion

·       T1053.005 Scheduled Task/Job: Scheduled Task

o   The malware maintained persistence by creating scheduled tasks disguised as legitimate Windows services, such as "CorelDefrag".

·       T1553.002 Subvert Trust Controls Code Signing

o    Malicious updates were digitally signed with a compromised eScan certificate to bypass trust mechanisms, though some signatures appeared invalid.

·       T1564.010 Hide Artifacts Process Ghosting/Job Spoofing

o   Adversaries leveraged Windows defragmentation job-spoofing to hide their activity.

·       T1112 Modify Registry

o   The malware altered eScan-specific registry keys and created new keys with random GUIDs to maintain a foothold and block updates.

·       T1562.001 Impair Defenses Disable or Modify Tools

o   Attackers modified the Windows hosts file to point eScan update domains to loopback addresses, preventing remediation through official patches.

Command & Control (C2)

·       T1071.001 Application Layer Protocol Web Protocols

o   The stage 2 downloader and stage 3 backdoor (CONSCTLX.exe) established communication with C2 infrastructure for further payload delivery.

·       T1105 Ingress Tool Transfer

o    The malware functioned as a persistent downloader to pull additional malicious components from remote servers.

Mitigation

·       MicroWorld isolated the affected infrastructure and took the global update system offline for 8+ hours on January 20, 2026.

Suggested rules / potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

Monitor for non-standard eScan update traffic or connections to known command-and-control (C2) domains identified in Morphisec’s Threat Bulletin.

Rule Concept (C2 & Exfiltration):

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE eScan Compromise C2 Activity Observed"; flow:established,to_server; content:"/update/"; http_uri; pcre:"/updll62\.dlz|version\.dll/i"; classtype:trojan-activity; sid:1000001; rev:1;)

Rule Concept (Hosts File Modification): Monitor for anomalous DNS traffic or HTTP requests to eScan domains that might indicate local hosts file tampering.

SentinelOne

Persistence via Scheduled Tasks

Look for specific task names used to maintain access.

ObjectType = "Scheduled Task" AND (TaskName == "CorelDefrag" OR TaskName CONTAINS "WindowsDefrag")

Hosts File Tampering

The malware blocks eScan updates by modifying the Windows hosts file.

ObjectType = "File" AND FilePath ENDS_WITH "\drivers\etc\hosts" AND ProcessName == "Reload.exe"

Suspicious Executables

Search for the primary malicious payload and stage 3 downloader.

ProcessName IN ("Reload.exe", "CONSCTLX.exe")

Command & Control (C2) Connections

Monitor for network traffic to known malicious domains or Handshake-based (.hns) domains.

ObjectType = "DNS" AND (DNSRequest IN ("vhs.delrosal.net", "tumama.hns.to") OR NetAddress == "185.241.208.115")

Splunk

Detection & Reporting

Ingest endpoint and network logs to correlate activity across the environment.

Scheduled Task Detection:

index=windows sourcetype="WinEventLog:Security" EventCode=4698 "Defrag" | stats count by dest, TaskName, Command.

eScan Update Failure Analysis: Identify systems failing to update, which may indicate the malware is blocking legitimate patches.

index=escan_logs "Update service failure" OR "Unable to connect" | stats count by host

Malicious Domain Blocking: Match outbound traffic against IoCs provided by SC Media.

index=network (dest_host="*escan*" OR dest_ip IN (<IOC_LIST>)) | eval status=if(match(url, "legitimate_domain"), "safe", "suspicious")

Delivery Method

·       Supply chain update

o   The malicious update involved a trojanized version of a 32-bit eScan executable (Reload.exe).

References

Morphisec

·       hxxps://www.morphisec.com/blog/critical-escan-threat-bulletin/

Help Net Security

·       hxxps://www.helpnetsecurity.com/2026/01/29/escan-antivirus-update-supply-chain-compromised/

GBlock

·       hxxps://www.gblock.app/articles/escan-antivirus-supply-chain-breach

Bleeping computer

·       hxxps://www.bleepingcomputer.com/news/security/escan-confirms-update-server-breached-to-push-malicious-update/amp/

VirusTotal

·       hxxps://www.virustotal.com/gui/file/8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92/details

·       hxxps://www.virustotal.com/gui/file/e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855