Dragon Boss Solutions Malware Exposes 25,000 Endpoints to Potential Supply Chain Attacks
Published on April 15, 2026
Key Takeaways
- Supply chain risk: An unregistered update domain exposed over 25,000 endpoints to potential supply chain attacks before security researchers intervened.
- AV killer malware: The Dragon Boss Solutions malware actively neutralizes major security tools and establishes deep system persistence.
- Global cybersecurity risks: The infrastructure compromised high-value targets globally, transforming standard adware into a severe system-level threat.
The Dragon Boss Solutions malware operation utilized a legitimately signed potentially unwanted program (PUP) to silently deploy AV killer malware with SYSTEM privileges across thousands of networks. The adware's automated update mechanism contained a critical flaw: its primary update domain, chromsterabrowser.com, remained unregistered. This oversight created a massive supply chain attack vector.
Any threat actor who registered the domain could have pushed arbitrary, malicious payloads to more than 25,000 infected endpoints without requiring further exploitation. Security researchers successfully sinkholed the domain, preventing immediate exploitation.
Advanced Evasion Capabilities
Once installed, the Dragon Boss Solutions malware executes a PowerShell script designated as ClockRemoval.ps1, the latest Huntress report said. This payload actively targets and disables prominent security products, including Malwarebytes, Kaspersky, McAfee, and ESET.
It establishes persistent access via Windows Management Instrumentation (WMI) event subscriptions and recurring scheduled tasks, ensuring the antivirus (AV) killer malware runs continuously. Furthermore, the script modifies host files to block AV update domains and adds Windows Defender exclusions to protect its payload staging directories.
CrunchBase listing for “Dragon Boss Solutions” | Source: Huntress
The telemetry identified 324 infections within high-value environments based on the IP addresses observed, including operational technology (OT) networks, government entities, and universities, including:
- 221 Universities and Colleges – Academic institutions across North America, Europe, and Asia
- 41 Operational Technology networks – Electric utilities, power cooperatives, transport networks, and critical infrastructure providers
- 35 Government entities – Municipal governments, state agencies, and public utilities
- 24 Primary and secondary educational institutions
- 3 Healthcare organizations – Hospital systems and healthcare providers
- Multiple Fortune 500 companies
Escalating Cybersecurity Risks
During a 24-hour observation period, the sinkholed domain recorded connections from thousands of unique IP addresses globally. Huntress observed the antivirus killing capability starting in late March 2025, although the loaders/updaters dated back to late 2024.
This incident highlights the severe cybersecurity risks associated with PUPs, demonstrating how aggressively standard adware can evolve into a critical system-level vulnerability.
Last week, the NHS Scotland domain was breached to host adult content and illegal sports streams. Last year, the EPI PDF Editor tool posed as a PDF converter but instead hijacked Internet browsers.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular