Supply chain attack on eScan antivirus: detecting and remediating malicious updates

On January 20 an eScan antivirus regional update server was breached and used to distribute a malicious updater (Reload.exe) that prevented antivirus updates by modifying the hosts file, created persistence via scheduled tasks (example: CorelDefrag), dropped additional payloads (e.g., consctlx.exe), and communicated with command-and-control domains; vendors contained the incident, provided a cleanup utility, and investigators published IoCs and mitigation guidance.