Back

Dragon Boss Solutions' Signed Adware Disables Antivirus on 25,000+ Endpoints

Severity: High (Score: 71.0)

Sources: Bleepingcomputer, Infosecurity-Magazine, Cybersecuritynews, Technadu, Huntress

Summary

On March 22, 2026, Huntress identified a campaign involving signed adware from Dragon Boss Solutions LLC that disabled antivirus protections on over 23,500 endpoints across 124 countries. The software, marketed as potentially unwanted programs (PUPs), utilized a sophisticated update mechanism to deploy malicious payloads with SYSTEM privileges. The adware's update process, based on the Advanced Installer tool, executed PowerShell scripts to disable security products from major vendors like Malwarebytes and Kaspersky. The malicious payloads were disguised as benign files, and the operation's infrastructure included an unregistered domain that could be exploited for further attacks. The incident highlights a significant supply chain risk, as anyone could register the domain to push harmful updates. Huntress has since registered the domain to prevent further exploitation. The attack primarily affected sectors including education, utilities, government, and healthcare. Key Points: • Over 23,500 endpoints were compromised globally due to signed adware from Dragon Boss Solutions. • The adware uses an advanced update mechanism to deploy malicious payloads that disable antivirus software. • Huntress registered the malicious update domain to prevent further exploitation.

Key Entities

  • Malware (attack_type)
  • Supply Chain Attack (attack_type)
  • Dragon Boss Solutions LLC (company)
  • Canada (country)
  • France (country)
  • Germany (country)
  • United Arab Emirates (country)
  • activation-v2.kaspersky.com (domain)
  • chromsterabrowser.com (domain)
  • data.service.malwarebytes.com (domain)
  • downloads.malwarebytes.com (domain)
  • urlscan.io (domain)
  • Energy (industry)
  • Government (industry)
  • Healthcare (industry)
  • Artificius Browser (malware)
  • Chromnius (malware)
  • Chromstera Browser (malware)
  • Dragon Boss Solutions (malware)
  • Web Genius (malware)
  • T1012 - Query Registry (mitre_attack)
  • T1036 - Masquerading (mitre_attack)
  • T1047 - Windows Management Instrumentation (mitre_attack)
  • T1053 - Scheduled Task/Job (mitre_attack)
  • T1059.001 - PowerShell (mitre_attack)
  • Windows (platform)
  • 26ddd0712a101b27b018658b4072ad56bb4083026c797b0345b2cce43862fc83 (sha256)
  • 40ac30ce1e88c47f317700cc4b5aa0a510f98c89e11c32265971564930418372 (sha256)
  • 909539d3ef8dedc3be56381256713fa5545cc7fd3d3d0e0428f7efb94a7e71cb (sha256)
  • Advanced Installer (tool)
  • Binary.AICustAct.dll (tool)
  • Binary.PowerShellScriptLauncher.dll (tool)
  • Binary.SoftwareDetector.dll (tool)
  • ClockRemoval.ps1 (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed