Contact Us

When Security Software Becomes the Threat: Dream Flags eScan Compromise

Summary

In January 2026, a routine antivirus update became the attack. Dream identified in national environments in Southeast Asia, a highly concerning compromise in which malicious software updates were delivered via MicroWorld Technologies’ eScan antivirus’s legitimate update infrastructure. In continuation of:

- The MORPHISEC article (referencing the revision dated January 29th, 2026).

- The MicroWorld Technologies confirmation regarding their eScan antivirus, as referenced in the BLEEPINGCOMPUTER, and HELPNETSECURITY articles.


Dream’s cyber platform uncovered additional troubling details, including DNS listings and evidence of a targeted, skillful hunting approach. It is Dream’s assessment that what was supposed to protect endpoints instead was utilized as the delivery mechanism for a covert attack, affecting both consumer and enterprise environments.
The campaign, internally named Verglas, quietly replaced an eScan component with a trojanized version, initiating a multi-stage infection chain:

1. Once installed, the malware granted remote access to infected systems and deliberately worked to lock itself in.
2. The malware modified Windows host files and eScan registry settings to block future updates, disrupt remediation, and prevent the antivirus from correcting the compromise.

Dream’s platform identified and investigated the campaign autonomously in the affected national environment, detecting the attack in the wild as it unfolded. By correlating signals across update behavior, system changes, and infrastructure activity, Dream reconstructed the full infection chain and exposed how a trusted security product had been weaponized.

The credibility of the attack represented its most perilous aspect. The malicious update was linked to an eScan certificate; however, it was found to be invalid in certain verification scenarios. This may indicate potential misuse or tampering; nonetheless, the certificate's exact status cannot be definitively ascertained.

The attack peaked around January 20, 2026, spreading through a channel explicitly trusted to deliver security updates. Organizations using the affected update mechanism should assume potential compromise. Immediate isolation of suspected endpoints is critical, alongside preservation of forensic evidence.

A complete incident response assessment is strongly recommended to determine the scope of exposure, identify any additional affected systems or credentials, and guide containment and remediation. As a precaution, organizations should review and reset potentially exposed credentials and ensure recovery is performed only from trusted backups or known-good system images.

Verglas: Supply Chain Attack Campaign

On January 20th, 2026, Dream’s cyber platform, particularly its Detection product abilities, identified an active compromise of the software supply chain affecting MicroWorld Technologies’ eScan antivirus. Malicious updates were distributed through eScan’s update infrastructure to both consumer and enterprise endpoints.

The campaign was nicknamed Verglas, a wordplay on black ice, and used a trojanized update to replace a legitimate eScan component, initiating a multi-stage infection process. This activity ultimately deployed a remote-access downloader while tampering with the Windows hosts file and eScan registry settings to block future updates and complicate cleanup efforts.

Dream’s Detection autonomously identified and investigated the attack in the wild as it was being leveraged via MicroWorld’s eScan antivirus. The attack was reconstructed as a multi-stage, compromised deployment delivered through MicroWorld eScan’s trusted update channel: victims received a trojanized update that is believed to provide full remote access to infected machines.

Dream recommends that organizations promptly isolate any suspected endpoints to prevent further spread, while preserving relevant evidence to support a complete investigation.

The attack began when a routine eScan update deployed a trojanized component, Reload.exe, which immediately blended into the normal update workflow and launched a fully fileless infection chain. Within minutes, the malware established persistence via a SYSTEM-level scheduled task, staged an obfuscated PowerShell payload in the registry, bypassed AMSI protections in memory, and initiated encrypted command-and-control communications. Subsequent stages fingerprinted hosts, selectively gated execution to avoid analysis environments, and retrieved encrypted payloads using multi-URL failover and kill-switch logic. The final stage deployed a disguised downloader, consctlx.exe, and modified the Windows hosts file and eScan registry settings to block future updates and remediation. Dream’s Detection product autonomously reconstructed this end-to-end workflow in real time, exposing how a legitimate security update channel was weaponized to deliver resilient, stealthy remote access at scale.

The full report can be seen here.

Conclusion

CTI Assessment

During the investigation of this campaign, multiple analytical tools and data sources were leveraged to assess potential attribution. Based on the DNS victim profile (as described in the attached full report) observed infrastructure patterns, attribution remains unconfirmed; multiple hypotheses exist and require further evidence to elevate confidence.

Recommendations

Dream recommendations also include the following actions:

- Treat Verglas as a potential high-impact incident because it abused a trusted software update mechanism.

- As a precaution, Dream recommends that affected organizations contact the vendor for further information, guidance, as well as:

o   Engage in qualified incident response services to assess the scope of exposure, determine whether any additional systems or accounts were impacted, and guide containment and remediation.

o    As a precaution, affected organizations should review and reset potentially exposed credentials and ensure they can restore affected systems from trusted backups or known-good images.

IoCs

#TypeDetails
1.RegistryHKLM:\Software\E9F9EEC3-86CA-4EBE-9AA4-1B55EE8D114E
2.RegistryHKLM:\Software\{26B71C-ED81-43E5-9AF-05875B889E9} (Value name: Trello)
3.Scheduled Task\Microsoft\Windows\Defrag\CorelDefrag
4.File Hash36ef2ec9ada035c56644f677dab65946798575e1d8b14f1365f22d7c68269860
5.File Hash386a16926aff225abc31f73e8e040ac0c53fb093e7daf3fbd6903c157d88958c
6.File Hash674943387cc7e0fd18d0d6278e6e4f7a0f3059ee6ef94e0976fae6954ffd40dd
7.File Hashbec369597633eac7cc27a698288e4ae8d12bdd9b01946e73a28e1423b17252b1
8.File Hashc2de3b16cc9c0e558cbebec16f4e59171d91b7b50293657f5a07249b50a71fd6
9.File Hash5f6fcc646a413599a237eb1383dd4e082b007d133041b0c08cda12d3e70c1923
10.File Hash1944aa7540eb60a7dd11b58f2eb6b9e2b3377668156ed6660adb7f2babb389d2
11.File Hash021671a9cf17fa1c9b8cda81647d28d88b4acb856736cbbbd990befea7b69c4c
12.File Hash4f6391237571b494e8b5623ed104925097f05b006a34c5fc0e97d2ef6dcb4856
13.C2 Network Connectionshxxps://vhs[.]delrosal[.]net/i
14.C2 Network Connectionshxxps://tumama[.]hns[.]to
15.C2 Network Connectionshxxps://blackice[.]sol-domain[.]org
16.C2 Network Connectionshxxps://codegiant[.]io/dd/dd/dd.git/download/main/middleware.ts
17.Campaign-related Domains

·       vhs.delrosal[.]net

·       so.delrosal[.]net

·       ib.delrosal[.]net

·       ia.delrosal[.]net

·       tumama.hns[.]to

·       504e1a42.host.njalla[.]net

·       zoutube[.]net

·       go.zoutube[.]net

·       a.zoutube[.]net

·       distorit[.]net

·       go.distorit[.]net

·       b.distorit[.]net

18.IP Addresses

·       80.78.26.66

·       143.198.94.96

·       80.97.160.50

·       96.9.125.243

19.Content Page HashMD5 9674d4d4adf2dd3ae860dce0850111ca
20.Code Signing Certificate Thumbprint76B0D9D51537DA06707AFA97B4AE981ED6D03483
21.CryptographyRC4 key: Y5C5SMXMU2

The full report can be seen here.

CONTACT US

Fill out the form to get in touch with our Expert Team.