π―Hackers have created sneaky software that can turn off antivirus programs on over 25,000 computers around the world. They did this by using a real certificate to make their software look safe and by taking advantage of a poorly protected update system. This is a big problem because it can lead to even worse attacks in the future.
What Happened
Researchers at Huntress uncovered a sophisticated threat disguised as adware, attributed to Dragon Boss Solutions LLC. This threat, originating from a domain that could be purchased for as little as $10, could have given hackers control over more than 25,000 compromised endpoints worldwide. In a single day, researchers observed more than 23,500 infected hosts in 124 countries trying to connect to the operator's infrastructure, with hundreds of infected endpoints present in high-value networks. The campaign employed a legitimate code-signing certificate and an unsecured software update channel, which malicious actors exploited to issue malicious updates.
Huntress analysts first observed the antivirus-killing behavior in late March 2025, although the underlying loaders had been present on some hosts since late 2024. The malware uses Advanced Installer to poll remote servers for updates, executing a script called ClockRemoval.ps1 with SYSTEM privileges to target products from major antivirus vendors including Malwarebytes, Kaspersky, McAfee, and ESET.
Who's Being Targeted
The malware has affected a wide range of organizations, including 245 educational institutions across North America, Europe, and Asia, 41 operational technology (OT) networks, 35 government entities, and three healthcare organizations. The scale of infection is alarming, particularly within sensitive sectors such as critical infrastructure and Fortune 500 companies. The infections spanned 124 countries, with the United States accounting for approximately 54% of connections, followed by France, Canada, the UK, and Germany.
How It Works
The malware's deployment mechanism is particularly concerning. It utilizes an update process from the commercial Advanced Installer authoring tool to deploy MSI and PowerShell payloads silently and with elevated privileges. The update mechanism retrieves an MSI payload disguised as a GIF image, which is flagged as malicious by only five security vendors on VirusTotal. The MSI installer conducts reconnaissance on the infected system, checking for admin status, detecting virtual machines, and querying the registry for installed antivirus products.
Before deploying its full capabilities, the payload establishes five scheduled tasks and WMI event subscriptions to maintain persistence across reboots, logons, and at 30-minute intervals. The script modifies registry entries, runs vendor uninstallers silently, and alters the Windows hosts file to redirect AV update domains to 0.0.0.0, effectively disabling antivirus protections. The misconfigured update path has facilitated a multi-stage attack chain, allowing for the clandestine retrieval and execution of antivirus-killing payloads.
Signs of Infection
Indicators of compromise (IoCs) include:
Infected systems attempting
Disabled antivirus software
Scheduled tasks and
A tight polling
How to Protect Yourself
Organizations are urged to take immediate action: Huntress registered the domain before it could be exploited by malicious actors, pointing it to a sinkhole to monitor the traffic. They observed around 25,000 unique IP addresses reaching out for updates, with the United States having the highest number of infected hosts. However, the researchers warn that the mechanism to introduce far more dangerous payloads onto infected systems is in place and could be leveraged at any time to escalate the attacks.
Detection
- 1.Monitor network traffic for connections to suspicious domains.
- 2.Implement endpoint protection solutions to detect and block this malware.
Removal
Conclusion
This incident highlights the evolving nature of malware and the importance of vigilance in cybersecurity. The use of a signed software certificate and the exploitation of an unsecured update channel significantly elevate the threat level, as they allow the malware to bypass traditional security measures. Organizations must remain proactive in their defense strategies to combat such threats effectively. The potential for widespread impact underscores the need for robust security measures and continuous monitoring of systems.
The use of a legitimate code-signing certificate in conjunction with a misconfigured update path highlights the critical vulnerabilities in software supply chains, emphasizing the need for organizations to scrutinize their update mechanisms and security protocols.
