Signed adware campaign strips endpoint defences

A digitally signed software operation tied to Dragon Boss Solutions LLC has been linked to the disabling of antivirus protections on more than 23,000 endpoints worldwide, raising concerns that what had been treated as aggressive adware was operating much closer to a supply-chain style threat. Security researchers said infected machines were found checking in from 124 countries, with affected systems present in education, government, utilities, healthcare and other high-value networks.

The activity came to wider attention after Huntress said it investigated suspicious alerts on 22 March and found signed executables using a software update mechanism to hide a multi-stage attack chain. According to the researchers, the software was signed by Dragon Boss Solutions LLC, a company described in public business listings as being involved in search monetisation research and previously associated with browser-like tools commonly classified by security vendors as potentially unwanted programs.

What makes the case more serious than a standard unwanted application is the way the update process allegedly worked. Huntress said the signed software fetched and ran installer and PowerShell payloads with SYSTEM privileges, allowing the operation to tamper with security tools at a deep level. BleepingComputer, citing the same Huntress research, reported that the payload chain used the commercial Advanced Installer framework to deliver MSI packages and scripts in a manner designed to remain silent, frequent and difficult for users to interrupt.

Researchers said the core script, named ClockRemoval. ps1, was built to target well-known security products including Malwarebytes, Kaspersky, McAfee and ESET. It allegedly stopped services, killed processes, deleted installation directories and registry entries, triggered uninstallers where possible, and then modified the hosts file to block access to antivirus vendor domains. Huntress also said the malware added persistence through Windows Management Instrumentation subscriptions and scheduled tasks so that the tampering would reappear at boot, logon and at regular intervals.

That combination of persistence, privilege and code signing is central to why the case stands out. Signed software often benefits from a presumption of legitimacy inside enterprise environments, and the Dragon Boss samples appear to have exploited that trust. Huntress said the binaries it tracked included names such as RaceCarTwo. exe and other pseudo-randomly named programs installed in repeated directory patterns, suggesting automated large-scale distribution. The firm also reported seeing a Dragon Boss code-signing certificate on modified Chrome binaries launched with a flag intended to suppress browser auto-updates, a detail that raises wider questions about user exposure to unpatched software.

The reported scale of exposure has sharpened those concerns. Huntress said that after registering and sinkholing one of the unclaimed update domains, it observed tens of thousands of endpoints reaching out for instructions. BleepingComputer put the single-day volume at more than 23,500 infected hosts, while Huntress described the wider exposure as affecting more than 25,000 endpoints. The difference appears to reflect separate measurement snapshots rather than a contradiction over the broader scale of the campaign.

The most alarming element may be the infrastructure weakness built into the operation itself. Huntress said the primary update domain, chromsterabrowser[.]com, as well as a fallback domain, worldwidewebframework3[.]com, had not been registered when the campaign was analysed. That meant any outside actor willing to buy the domain names could potentially have issued arbitrary updates to already infected hosts. Researchers said they moved first, registering the domains and directing traffic into sinkholes to prevent a more destructive takeover.

Evidence of exposure inside sensitive networks adds another layer of concern. BleepingComputer reported that researchers identified 324 infected hosts in high-value environments, including 221 academic institutions, 41 operational technology networks in energy and transport, 35 municipal governments, state agencies and public utilities, 24 primary and secondary educational institutions, and three healthcare organisations, along with networks tied to multiple Fortune 500 companies. That distribution suggests the software had travelled well beyond consumer nuisance territory.

Dragon Boss Solutions’ website was offline when other outlets attempted to reach the company, and no response was publicly documented in the material reviewed. Huntress said antivirus vendors had historically tracked the company’s signed software as adware or browser-hijacking PUPs, but its findings argue that the label understates the risk when such software can silently remove protections and keep an update channel open for follow-on abuse.