Clarissa Hana
A sophisticated campaign leveraging digitally signed adware has successfully infiltrated thousands of computer systems worldwide, disabling critical antivirus protections and operating with elevated SYSTEM privileges. Security researchers at Huntress detected the widespread threat on March 22, 2026, observing over 23,500 infected hosts across 124 countries attempting to connect to the attacker’s infrastructure within a single 24-hour period. A concerning number of these compromised endpoints were identified within high-value networks, including those in the educational, utilities, government, and healthcare sectors, raising significant alarms about potential data breaches and operational disruptions.
The deceptive nature of this operation lies in its use of software initially categorized as Potentially Unwanted Programs (PUPs) or adware. While typically viewed as a nuisance rather than a direct threat, these programs are designed to generate revenue for their developers through intrusive advertisements, browser redirects, and other monetization schemes. However, the adware identified in this campaign, developed and distributed by an entity operating under the name Dragon Boss Solutions LLC, has evolved beyond mere annoyance. This company, which claims to be involved in "search monetization research," promotes a suite of tools, including browsers like Chromstera Browser, Chromnius, WorldWideWeb, Web Genius, and Artificius Browser, all of which are flagged as PUPs by multiple security solutions.
A Deeper Dive into the Malicious Mechanism
Huntress researchers uncovered that the sophistication of this campaign stems from an advanced update mechanism, ingeniously integrated into the adware. This mechanism, built upon the commercial Advanced Installer authoring tool, was exploited to deploy both MSI (Microsoft Installer) and PowerShell payloads. The configuration files for this update process revealed a deliberate design for stealth and persistence. Operators configured the process with flags that ensured complete silence, eliminating any user interaction requirements. Crucially, the payloads were installed with the highest level of privileges, SYSTEM, effectively granting them unfettered access to the operating system. Furthermore, the mechanism was designed to prevent users from disabling automatic updates and to check for new updates with alarming frequency, ensuring continuous control for the attackers.
The update process retrieves an MSI payload, masquerading as a GIF image, named "Setup.msi." At the time of the initial discovery, this file was only flagged as malicious by a limited number of security vendors on VirusTotal, underscoring its ability to evade initial detection. This MSI payload contains legitimate DLLs that are standard components of Advanced Installer, utilized for tasks such as executing PowerShell scripts, scanning for specific software on the system, and executing custom actions defined in a separate file labeled "!_StringData." This file acts as the instruction manual for the installer, detailing its operational sequence.
The Antivirus Killer Component
Before deploying its primary malicious functions, the MSI installer initiates a reconnaissance phase. This involves a series of checks, including verifying administrator privileges, detecting virtual machine environments (a common tactic to avoid analysis in sandboxes), confirming internet connectivity, and querying the Windows Registry for installed antivirus products. Specifically, the installer targets protections from major vendors such as Malwarebytes, Kaspersky, McAfee, and ESET.
The disabling of these security products is achieved through a PowerShell script named "ClockRemoval.ps1." This script is strategically placed in two locations on the compromised system. Researchers also noted that installers for popular browsers like Opera, Chrome, Firefox, and Edge are targeted, likely to prevent any potential conflicts with the adware’s browser-hijacking capabilities.
The "ClockRemoval.ps1" script is designed for persistent execution. It runs routines at system boot, during user logon, and at 30-minute intervals. Its primary objective is to ensure that antivirus products are permanently removed from the system. This is accomplished through a multi-pronged approach: stopping security-related services, terminating malicious processes, deleting installation directories and registry entries, silently executing vendor-specific uninstallers, and, as a last resort, forcefully deleting files when uninstallers fail.
Beyond mere disabling, the script also takes measures to prevent the reinstallation or updating of security products. It achieves this by modifying the hosts file to block communication with vendor domains and by null-routing these domains, effectively redirecting all traffic intended for them to the non-routable IP address 0.0.0.0. This creates a robust barrier against any attempts by the user or legitimate security software to re-establish protection.
A Campaign of Scale and Potential Escalation
The campaign’s command and control infrastructure was managed through specific domains. Huntress analysts discovered that the primary update domain, "chromsterabrowser[.]com," and a fallback domain, "worldwidewebframework3[.]com," were not registered by the operator. This oversight presented a unique opportunity for researchers. By registering the main update domain, Huntress was able to observe "tens of thousands of compromised endpoints reach out looking for instructions." This alarming observation highlights the vast reach of the campaign and the potential for the attackers to deploy virtually any payload on these unprotected machines.
The sheer scale of the operation is evident in the data collected. In a single day, researchers identified 324 infected hosts within networks deemed "high-value." While the original article did not specify the exact nature of these high-value networks beyond general sectors, the implications are significant. A breach in government or healthcare could expose sensitive citizen data or patient records, while compromises in utility sectors could lead to infrastructure disruptions.
Efforts to contact Dragon Boss Solutions LLC for comment proved unsuccessful, as their website is no longer operational, suggesting a potential shutdown or evasion tactic by the perpetrators.
Broader Implications and Future Threats
The existence of this campaign serves as a stark warning. While the current payload focuses on disabling antivirus software, the underlying mechanism is designed to facilitate the delivery of far more dangerous payloads. The infrastructure is already in place, and the compromised endpoints are left completely vulnerable, making them prime targets for ransomware, data theft, or other malicious activities.
The fact that the primary update domain was left unregistered is particularly concerning. It opens the door for malicious actors to seize control of this established infrastructure and direct thousands of already compromised machines to new, potentially devastating, command-and-control servers. This scenario represents a significant threat, as the attackers would inherit a ready-made botnet with no security measures in place.
Recommendations for Mitigation and Detection
In response to this threat, Huntress has provided specific recommendations for system administrators to identify and mitigate the infection:
.jpg)
- WMI Event Subscriptions: Administrators should scrutinize Windows Management Instrumentation (WMI) event subscriptions for entries containing "MbRemoval" or "MbSetup." These often indicate attempts to remove or interfere with security software.
- Scheduled Tasks: A review of scheduled tasks for any references to "WMILoad" or "ClockRemoval" is advised, as these are associated with the malicious script’s persistence mechanisms.
- Process Signatures: System administrators should look for running processes signed by "Dragon Boss Solutions LLC." This signature is a direct indicator of the adware’s presence.
- Hosts File Analysis: Examining the hosts file for entries that block the domains of antivirus vendors is a crucial step. This indicates the script’s attempt to prevent communication with legitimate security updates and support.
- Microsoft Defender Exclusions: For systems protected by Microsoft Defender, administrators should check for suspicious exclusions added to the Defender configuration. Paths such as "DGoogle," "EMicrosoft," or "DDapps" have been observed in these malicious configurations.
The widespread deployment of this digitally signed adware, capable of disabling core security protections, underscores a significant shift in the tactics, techniques, and procedures (TTPs) employed by cybercriminals. The ability to leverage seemingly benign software and exploit legitimate installation tools for malicious purposes presents a formidable challenge to existing security frameworks. Organizations across all sectors must remain vigilant, implement robust endpoint detection and response (EDR) solutions, and ensure their security teams are equipped to identify and respond to such sophisticated and evolving threats. The silent disabling of antivirus on such a massive scale highlights a critical vulnerability that, if left unaddressed, could pave the way for catastrophic cyberattacks.
