Cyber Incident Victim: MicroWorld Technologies
Date:
Jan 2026
Location:
India
Summary
MicroWorld Technologies' eScan antivirus update server was compromised, allowing attackers to push a malicious Reload.exe file through the legitimate update channel. The file altered the HOSTS block to stop automatic updates, created persistence via scheduled tasks, and downloaded additional payloads that disrupted normal antivirus function. Security researchers detected the activity and reported it to the vendor, which confirmed unauthorized access to its infrastructure and isolated the affected servers. The vendor issued a cleanup tool to remove the infection and restore normal operation, while disputing the characterization of the incident as a supply chain attack and noting a medium‑high impact on enterprise customers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 20, 2026, eScan detected unauthorized access to its update infrastructure and immediately isolated the affected servers, which remained offline for over eight hours. Morphisec first observed malicious behavior on its customers’ devices on January 20, 2026, and reported the incident to MicroWorld Technologies, the company behind eScan, on January 21. On January 29, 2026, Morphisec published a threat bulletin revealing that rogue updates had been distributed through eScan’s legitimate update infrastructure, delivering a multi-stage malware payload. The bulletin described the malicious file as ‘Reload.exe’, which initiated an infection chain by modifying the HOSTS file to block automatic updates, creating persistence via scheduled tasks, and downloading additional payloads.
The altered update prevented compromised systems from receiving legitimate eScan updates and changed the antivirus’s normal functionality. As a result, automatic remediation was not possible for infected endpoints, requiring victims to manually obtain a cleanup utility from eScan’s technical support. The malicious update was distributed only to customers who downloaded updates from the affected regional server cluster during a limited timeframe on January 20, 2026. eScan characterized the impact as medium‑high for enterprise customers, noting global reach for both enterprise and consumer endpoints.
In response, eScan released a specialized utility that users could obtain by contacting technical support, designed to clean the infection, roll back malicious system modifications, and restore normal antivirus operation. eScan confirmed the unauthorized access in a January 22 security advisory to its customers, describing the placement of an incorrect patch configuration binary in the update distribution path. The company expressed disagreement with Morphisec’s characterization of the event as a supply chain attack and indicated it was consulting legal counsel regarding the public disclosure. SecurityWeek sought comment from eScan on the incident and noted it would update its coverage if a statement was provided.