eScan Antivirus Update Servers Compromised to Deliver Multi-Stage Malware
These articles are AI-generated summaries. Please check the original sources for full details.
eScan Antivirus Update Servers Compromised
The eScan antivirus update infrastructure was compromised by unknown attackers, resulting in the distribution of malicious updates to enterprise and consumer systems worldwide, with MicroWorld Technologies detecting unauthorized access to its infrastructure and immediately isolating the impacted update servers. The breach led to the deployment of a persistent downloader, which interfered with the regular functionality of the product, preventing automatic remediation and allowing for further malware downloads.
Why This Matters
The compromise of eScan’s update infrastructure highlights the risks associated with supply chain attacks, which can have severe consequences, including the deployment of malware on a large scale, as seen in this incident, where hundreds of machines were affected. The attack also underscores the importance of securing update mechanisms, as a breach can have far-reaching consequences, including the compromise of sensitive data and disruption of critical systems.
Key Insights
- Hundreds of machines were affected by the malicious update, primarily located in India, Bangladesh, Sri Lanka, and the Philippines, according to Kaspersky’s analysis.
- The attackers used a modified version of the UnmanagedPowerShell tool to execute PowerShell code and bypass Windows Antimalware Scan Interface (AMSI).
- The malicious payload, including “Reload.exe” and “CONSCTLX.exe”, was designed to establish persistence, block remote updates, and contact an external server to fetch additional payloads.
Working Example
# Example of a PowerShell payload used in the attack
$payload = "Base64-encoded PowerShell script"
$decodedPayload = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($payload))
Invoke-Expression $decodedPayloadPractical Applications
- Use Case: Organizations using eScan antivirus should immediately check for and apply the patch released by MicroWorld Technologies to revert the changes introduced by the malicious update.
- Pitfall: Failing to secure update mechanisms can lead to supply chain attacks, resulting in the deployment of malware on a large scale, emphasizing the need for robust security measures to protect against such threats.
References:
Continue reading
Next article
Google Releases Conductor for Context-Driven AI Development
Related Content
JackFix Campaign Leverages Fake Windows Updates to Deploy Multiple Stealers
The JackFix campaign utilizes deceptive fake Windows update pop-ups on adult websites to deliver multi-stage PowerShell malware, resulting in potential data theft and system compromise.
Fake Moltbot AI Coding Assistant Drops Malware on VS Code
A malicious VS Code extension posing as a Moltbot AI assistant installed ScreenConnect malware, giving attackers persistent remote access to developer systems.
Notepad++ Update Mechanism Hijacked to Deliver Malware
State-backed attackers hijacked Notepad++ update traffic via a hosting provider breach, redirecting users to malicious downloads since June 2025.