Signed adware ships SYSTEM-level AV killer to 23,500 hosts across 124 countries

Huntress researchers traced a campaign in which signed executables from Dragon Boss Solutions LLC — marketed as PUP-tier browsers like Chromstera, Chromnius, and Artificius — carried far more than advertising payloads. The software’s update channel, built on the commercial Advanced Installer tool, silently pulled an MSI disguised as a GIF and executed it with SYSTEM privileges, with auto-update disabling locked off and no user prompts. Reconnaissance logic checked for Malwarebytes, Kaspersky, McAfee, and ESET before running a PowerShell script, ClockRemoval.ps1, that killed AV services, wiped installation directories, ran vendor uninstallers silently, and null-routed vendor update domains via the hosts file. The script re-executed at boot, logon, and every 30 minutes to block reinstallation.

The operator failed to register the primary and fallback update domains, letting Huntress sinkhole the infrastructure. Within a single day, 23,500 endpoints in 124 countries beaconed in — including 221 academic institutions, 41 OT networks in energy and transport, 35 government and utility networks, three healthcare providers, and networks belonging to multiple Fortune 500 companies. Any attacker who had claimed the unregistered domain first could have pushed arbitrary code to every infected host, none of which still had functional endpoint protection.

The delivery mechanism is the real story: a code-signing certificate plus a legitimate installer framework produced a trusted-looking execution chain that neutralized defenses and opened a persistent remote channel on high-value networks. Defenders should hunt for WMI subscriptions referencing MbRemoval or MbSetup, scheduled tasks named WMILoad or ClockRemoval, Defender exclusions under DGoogle/EMicrosoft/DDapps, and any process signed by Dragon Boss Solutions LLC.