Unveiled: How a Hacked eScan Update Unleashed Multi-Stage Malware via Blockchain C2 Networks
A Rising Threat: Supply Chain Attacks Hit Trusted Software
Supply chain attacks are on the rise. Hackers target trusted software to sneak into networks. This method lets them bypass defenses. In January 2026, eScan antivirus users faced such an attack. A bad update spread multi-stage malware. What made it unique? Attackers used blockchain C2 for control. This post breaks down the attack, the blockchain role, and lessons for crypto users.
The eScan Compromise: How It Started
eScan, from MicroWorld Technologies, had a problem. Hackers breached a regional update server. They placed a fake file in the update path. On January 20, for two hours, users in EMEA got this bad update. Windows devices showed errors after install.
The malware began with Reload.exe, a 32-bit file. It dropped CONSCTLX.exe, a 64-bit downloader. This downloader set up persistence with tasks like “CorelDefrag”. It ran PowerShell scripts. To hide, it changed the Windows HOSTS file and eScan registry. This blocked fixes. Then, it fetched more payloads from a C2 server.
Key Malware Steps
- Dropper: Reload.exe installs CONSCTLX.exe
- Persistence: Scheduled tasks run scripts
- Evasion: Blocks updates via HOSTS and registry
- Payload: Downloads from C2
Initial Access: From Legit Updates to Rogue Connections
Devices downloaded .dlz files from eScan servers. Then, they hit vhs.delrosal[.]net, a C2 endpoint. This site had a fake SSL cert: “O=Internet Widgits Pty Ltd”. A common test placeholder, often seen in hacks.
Networks saw rare outbound links. This was 100% new for devices and orgs. A sign of beaconing.
: The Clever Twist
Attackers built a spread-out C2 using blockchain. They used .sol domains from Solana. These are readable names for wallet addresses. Browsers don’t resolve .sol natively. Solana Naming System (ex-Bonfida) proxies via sol-domain[.]org.
Devices connected to blackice.sol-domain[.]org. Likely a dead drop on blockchain. Hackers store commands in public transactions. Victims pull them via proxy.
Solana is open. Analysts checked blackice[.]sol transactions. First ones from November 7, 2025. Matches vhs.delrosal[.]net creation date. Transactions had “CNAME= vhs.delrosal[.]net”. Later, one said “hxxps://96.9.125[.]243/i;code=302”. C2 shifts.
Other Blockchain Endpoints
Also saw tumama.hns[.]to. This uses Handshake blockchain for domains. No central control. Attackers love this to dodge takedowns.
Proxies like sns-resolver.bonfida.workers[.]dev helped hide.
Why Blockchain for C2? Pros and Cons for Hackers
Blockchain offers:
- Resilience: Hard to shut down. Decentralized.
- Stealth: Looks like normal crypto txns.
- Dead Drops: Commands in public data, no direct C2.
But transparency hurts. Anyone can see txns. Helps track attackers.
In crypto world, this warns: Blockchains aren’t just for DeFi. Hackers abuse them too. .sol and .hns show trend.
Detection: Spotting the Anomalies
The attack spread fast. AV software deploys everywhere. One bad update hits many.
Signs to watch:
- Unusual file downloads from update servers.
- New C2 connections, even via blockchain proxies.
- HOSTS file changes.
- Rare scheduled tasks.
Behavioral monitoring catches this. Learns normal traffic. Flags odd beacons.
Lessons for Blockchain and Crypto Users
This attack blends IT and crypto threats. Key takeaways:
- Supply Chains Vulnerable: Even AV can be weaponized.
- Blockchain Dual-Use: Great for Web3, risky for C2.
- Monitor Outbound: Block rare domains, proxies.
- Transparency Wins: Public ledgers aid defense.
Crypto projects: Audit naming services. Watch wallet txns for odd strings.
Future Risks: Evolving Tactics
Hackers get creative. More blockchain C2 coming. Solana, Handshake easy targets. Defenders need AI to spot patterns in noise.
Assume breach. Watch behavior over signatures.
Protect Your Network
- Segment updates. Test before deploy.
- Use anomaly detection.
- Block known bad proxies.
- Monitor blockchain txns linked to your infra.
The
What do you think? Share in comments.
