Overview
- The trojanized update on January 20 replaced eScan’s Reload.exe, tampered with hosts and registry settings to block future updates, established persistence via scheduled tasks, and contacted attacker C2 infrastructure to fetch additional payloads including a downloader reported as CONSCTLX.exe.
- MicroWorld says it detected the incident the same day, isolated the affected regional cluster within about an hour, took global update services offline for over eight hours, rebuilt the server, rotated credentials, and produced a remediation tool for customers.
- Morphisec and MicroWorld dispute who first identified the activity and how widely customers were impacted, with Morphisec citing broad targeting of its customers and MicroWorld describing a small subset affected by the compromised cluster.
- Defenders are advised to assume potential compromise, review January 20 update logs, check for suspicious scheduled tasks such as CorelDefrag, inspect hosts and registry for unauthorized changes, block listed C2s, and reset credentials used on exposed systems.
- Kaspersky corroborated the supply-chain compromise, noted the invalid eScan signature on the modified Reload.exe, and shared additional network indicators including airanks.hns.to and csc.biologii.net/sooc.