Skip to Content

eScan Update Server Breach Exposes Malicious Update to Customers

MicroWorld Technologies' eScan antivirus suffered a breach of a regional update server on Jan 20 2026, resulting in a malicious Reload.exe update being pushed to a limited set of customers. Learn the timeline, impact, response, and remediation steps.
28 January 2026 by
TechStora Editorial Board

Overview

MicroWorld Technologies, the developer of the eScan antivirus solution, confirmed that an unauthorized actor accessed a regional update server on January 20, 2026. During a two‑hour window the attacker placed a malicious file—identified as a modified Reload.exe—into the legitimate update distribution path. The file was delivered to a small subset of eScan customers who downloaded updates from that server.

Timeline of Events

  • Jan 20 2026 (02:00‑04:00 UTC): Unauthorized file inserted into the update cluster.
  • Jan 20 2026 (later that day): Customers begin receiving the malicious update.
  • Jan 20 2026 (evening): eScan detects anomalous activity through internal monitoring and customer reports.
  • Jan 21 2026: eScan isolates and rebuilds the affected infrastructure, rotates credentials, and publishes a security advisory.
  • Jan 22 2026 onward: Morphisec releases a technical report linking the malicious activity to the eScan update infrastructure.

Impact

The compromised update was distributed only to devices that retrieved updates from the specific regional cluster during the breach window. Affected systems received a signed‑but‑invalid Reload.exe binary that performed the following actions:

  • Established persistence on the endpoint.
  • Executed arbitrary commands.
  • Modified the Windows HOSTS file to block remote updates.
  • Contacted command‑and‑control (C2) servers to download additional payloads.

All other eScan customers remained unaffected, and no vulnerability in the eScan product itself was exploited.

Response and Remediation

eScan took immediate steps after detection:

  • Isolated the compromised server and rebuilt the update infrastructure.
  • Rotated all authentication credentials associated with the update system.
  • Issued a remediation update that removes the malicious component and restores system integrity.
  • Conducted proactive notifications and direct outreach to impacted customers.

Both eScan and Morphisec advise customers to block the identified C2 domains to prevent further communication.

Technical Analysis (Morphisec Report)

Morphisec’s bulletin describes the malicious Reload.exe as a multi‑stage payload that, despite being signed with a certificate resembling eScan’s code‑signing key, fails verification on Windows and VirusTotal. The file’s behavior includes persistence mechanisms, command execution, HOSTS file manipulation, and C2 communication for additional downloads.

Recommendations for Customers

  • Apply the eScan remediation update immediately.
  • Block the listed C2 IP addresses and domains at the network perimeter.
  • Verify the integrity of all eScan update binaries using hash checks or trusted repositories.
  • Monitor endpoint logs for the presence of Reload.exe or related suspicious activity.
  • Maintain up‑to‑date backup copies of critical data in case of further compromise.