eScan confirms update server breached to push malicious update

Key Points:

• eScan's update server was breached, leading to the distribution of a malicious update that affected a subset of customers on January 20, 2026.
• The malicious update included a modified component, "Reload.exe," which enabled persistence, executed commands, and connected to command and control (C2) servers, potentially compromising customer endpoints.
• Customers are advised to block the identified C2 servers and apply the remediation update provided by eScan.

Technical Details: The incident involved unauthorized access to eScan's update infrastructure, allowing attackers to distribute a corrupt update signed with an invalid certificate. The malicious file was used to deploy multi-stage malware and create scheduled tasks for persistence.

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1053.005 - Scheduled Task/Job: Scheduled Task (Persistence)

IOCs Mentioned:

• Reload.exe
• CONSCTLX.exe
• Invalid code-signing certificate