Dragon Boss breach widens supply chain alarm

What looked like a nuisance adware issue inside managed IT environments has emerged as a broader cyber-security warning, after Huntress said software signed by Dragon Boss Solutions LLC exposed more than 25,000 endpoints to a supply-chain style compromise through an insecure update mechanism that could have been hijacked for the price of a cheap domain registration. Huntress published its findings on April 14, saying the software was able to fetch and run payloads with SYSTEM-level privileges while also disabling security products across affected machines.

The case is drawing attention because it blends three risks that security teams usually treat separately: adware, code-signed software and supply-chain exposure. Huntress said the executables, signed by Dragon Boss Solutions LLC, used an off-the-shelf updater to pull MSI and PowerShell-based payloads, establish WMI persistence and block protective tools from being reinstalled. Researchers said one of the update domains configured in the software, chromsterabrowser[.]com, was unregistered, creating an opening through which another actor could potentially seize control of updates and push almost any payload to infected hosts. Huntress said it registered and sinkholed the domain before that could happen.

That is the point at which an aggressive potentially unwanted program stopped looking like a routine clean-up job and started resembling a dormant distribution channel for something far more destructive. Huntress said the infrastructure already had the ability to disable antivirus tools, and warned that the same channel could just as easily have been used to deliver ransomware, cryptominers or information-stealing malware. Cybernews, which independently summarised the disclosure on April 15, said the exposure hinged on a trusted-looking application left open to what amounted to a low-cost supply-chain hijack.

The technical detail has sharpened concern. Huntress traced one infection chain from a signed executable called RaceCarTwo. exe to an MSI package that launched a PowerShell script named ClockRemoval. ps1. According to the researchers, that script created multiple scheduled tasks running as SYSTEM, set up WMI-based persistence and maintained a targeted kill list for security software including Malwarebytes, Kaspersky, McAfee and ESET. It also watched for installer activity and worked to neutralise defensive tools quickly after boot. The use of SYSTEM privileges, silent updates and persistence at both task and WMI level made the software unusually potent for a program outwardly presented as monetisation software.

The chronology requires careful reading. Huntress said the loader and updater components date back to late 2024, while antivirus-killing capability was observed from late March 2025. It also said Windows event logs on one host showed update-related activity dating to October 2025. That sequence suggests a long-running ecosystem that evolved over time, rather than a single-day breach, with the April 2026 disclosure reflecting the moment researchers tied together the updater design, security-disabling payloads and the unregistered-domain risk at scale.

Dragon Boss Solutions has been linked for some time to browser-hijacking and search-monetisation software. Huntress cited a Crunchbase description saying the company focused on search monetisation for browser extensions, software and desktop applications, and placed it in Sharjah, United Arab Emirates. Separate public reports from malware-removal researchers in 2023 and 2024 described Dragon Boss-linked products and extensions as browser hijackers that changed browser settings and routed searches through Dragon Boss infrastructure. Those earlier warnings did not carry the same supply-chain implications now highlighted by Huntress, but they indicate that the company’s software family had already drawn sustained suspicion from the security community.

The episode also fits a broader trend in cyber defence. Verizon’s 2025 Data Breach Investigations Report said third-party involvement featured prominently in breaches over the preceding year, while CISA-backed supply-chain guidance has stressed the need for secure update mechanisms, signature validation and stronger control over code-signing abuse. What makes the Dragon Boss case notable is not only the presence of a signed binary, but the way trust signals, update automation and adware economics appear to have converged into a scalable enterprise risk. A tool that many administrators might dismiss as annoying software clutter instead opened a path toward mass compromise across managed environments.