- Huntress sinkholes adware signed by Dragon Boss Solutions LLC
- Malware disabled antivirus, leaving open update domains exploitable for $10
- Tens of thousands of endpoints compromised, including universities, OT networks, governments and Fortune 500 companies
Security researchers Huntress recently stumbled across a piece of adware that, by all accounts, should have been a boring, run-of-the-mill ad serving nuisance. But what they found beneath the surface raised a few eyebrows and warranted a deeper investigation.
In late March 2026, Huntress was alerted to a piece of software signed by a company called Dragon Boss Solutions LLC. This company, which supposedly works on “search monetization” (but instead just shows unwanted ads and redirects to people), came up with an advanced update mechanism that disabled antivirus programs and prevented them from being restarted.
While analyzing how the malware worked, the researchers discovered that the threat actors did not register the main update domain, or the backup domain, which at the same time contained a high risk and a huge opportunity to do good.
The article continues below
Breaking ties
“More troubling is that it turned out to have an open door baked right into its update configuration, one that anyone with $10 could have walked right through,” Huntress said. In other words, someone could have registered these domains and thereby taken control of a large network of infected computers.
Instead, it was Huntress who bought the domains, effectively slowing down the connection from all infected hosts.
“Within hours” they saw “tens of thousands of compromised endpoints reaching out and looking for instructions that in the wrong hands could have been anything.”
By analyzing incoming IP addresses, Huntress researchers found 324 infected devices in high-value locations, including 221 academic institutions, 41 operational technology networks in the energy and transportation sectors, 35 municipal authorities, government agencies and public utilities, 24 primary and secondary educational institutions, and 3 healthcare organizations. Furthermore, networks of several Fortune 500 companies were also compromised.
To stay safe, the researchers recommend that system administrators look for WMI event subscriptions that contain “MbRemoval” or “MbSetup,” scheduled tasks that reference “WMILoad” or “ClockRemoval,” and processes signed by Dragon Boss Solutions LLC.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
