Signed Adware Operation Disables Antivirus Across 23,000 Hosts
A signed adware campaign linked to Dragon Boss Solutions LLC has disabled antivirus on over 23,000 hosts globally, using a legitimate code-signing certificate and a PowerShell script to kill security tools from Malwarebytes, Kaspersky, McAfee, and ESET.
Huntress researchers at Huntress have uncovered a widespread adware operation that has silently disabled antivirus software on more than 23,000 endpoints worldwide. The campaign, attributed to a company called Dragon Boss Solutions LLC, leveraged a legitimate code-signing certificate and an off-the-shelf update mechanism to deploy a PowerShell-based payload that systematically kills, uninstalls and blocks the reinstallation of security tools from major vendors including Malwarebytes, Kaspersky, McAfee, and ESET.
The attack chain begins with executables built using Advanced Installer, which poll remote servers for MSI-based updates. Once delivered, a script named ClockRemoval.ps1 executes with SYSTEM privileges. Before deploying its full capabilities, the payload checks for admin status, detects virtual machines, and queries the registry for installed security products. It then establishes five scheduled tasks and Windows Management Instrumentation (WMI) event subscriptions that maintain persistence across reboots, logons, and at 30-minute intervals.
A particularly aggressive polling loop kills matching antivirus processes every 100 milliseconds for 20 seconds at boot, terminating security tools before they can initialize. The script also strips registry entries, runs vendor uninstallers silently, and modifies the Windows hosts file to redirect antivirus update domains to 0.0.0.0. Additionally, Defender exclusions are added for directories like DGoogle and EMicrosoft, which appear to serve as staging areas for follow-on payloads.
What elevated the threat was the discovery that a primary update domain in the operation's configuration was unregistered. Huntress researchers registered the domain first and pointed it to a sinkhole. Within 24 hours, 23,565 unique IP addresses requested instructions. Infections spanned 124 countries, with the US accounting for roughly 54% of connections, followed by France, Canada, the UK, and Germany.
The firm identified 324 infections on high-value networks, including 221 universities and colleges, 41 operational technology networks (including electric utilities), 35 government entities, and three healthcare organizations. According to CrunchBase, Dragon Boss Solutions is based in Sharjah, United Arab Emirates, and describes itself as conducting "search monetization research." AV vendors have historically categorized their signature as adware with browser-hijacking functionality.
While the immediate payload remains an antivirus killer, Huntress warned that the update infrastructure could deliver any payload type. With antivirus already neutralized, the operation could pivot to ransomware, cryptomining, or data theft without additional exploitation. The researchers first observed the antivirus-killing behavior in late March 2025, though the underlying loaders had been present on some hosts since late 2024.