Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
CISA Warns of Exploited SimpleHelp Authentication Bypass Vulnerability
July 2, 2026
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Home/Threats/Critical Dragon Boss Solutions Vulnerability Exposes 25,000+ Endpoints
Threats

Critical Dragon Boss Solutions Vulnerability Exposes 25,000+ Endpoints

Key Takeaways A supply chain attack, dubbed “Dragon Boss,” exposed over 25,000 endpoints globally through a compromised software update mechanism. The attack leveraged signed software...

Marcus Rodriguez
Marcus Rodriguez
April 15, 2026 4 Min Read
27 0

Key Takeaways

  • A supply chain attack, dubbed “Dragon Boss,” exposed over 25,000 endpoints globally through a compromised software update mechanism.
  • The attack leveraged signed software from “Dragon Boss Solutions LLC” to deliver payloads that disabled antivirus programs and prevented their reinstallation.
  • The critical vulnerability stemmed from an unregistered update domain, chromsterabrowser[.]com, which allowed attackers to push arbitrary malicious code.
  • The compromised endpoints included high-value targets such as universities, critical infrastructure, government agencies, and Fortune 500 companies.
  • Security researchers at Huntress identified the threat and secured the malicious domain to prevent further compromise, providing detailed mitigation steps.

Widespread Supply Chain Attack Exposes 25,000+ Endpoints Via Dragon Boss Solutions Update Domain

A significant supply chain compromise, now identified as the “Dragon Boss” attack, has led to the exposure of over 25,000 endpoints worldwide. This extensive breach originated from a vulnerability within the update infrastructure of Dragon Boss Solutions and was initially detected through a series of adware alerts that rapidly escalated into a more severe incident. Cybersecurity experts have released a detailed report outlining the specifics of the compromise.

Table Of Content

  • Key Takeaways
  • Widespread Supply Chain Attack Exposes 25,000+ Endpoints Via Dragon Boss Solutions Update Domain
  • Discovery and Scope of the Attack
  • Inside the AV-Killing Payload
  • What You Should Do

On March 22, 2026, security alerts began to activate across various managed environments, all pointing to software digitally signed by Dragon Boss Solutions LLC. While the executables initially appeared innocuous, they exploited a built-in update mechanism to execute a multi-stage attack. This sophisticated operation was designed to neutralize antivirus solutions, leaving infected systems completely defenseless.

Dragon Boss Solutions LLC describes its business as “search monetization research.” However, the signed software distributed by the company was found to be facilitating a malicious agenda. These executables, operating with full SYSTEM privileges, covertly downloaded and deployed payloads specifically crafted to disable security products across compromised machines.

The observed behavior of disabling antivirus software was first noted in late March 2025, although the foundational loaders and update components had been present on victim systems since late 2024. The attackers employed Advanced Installer, a legitimate commercial update tool, to deliver MSI and PowerShell-based payloads, thereby cloaking their malicious activities under a guise of legitimacy.

Discovery and Scope of the Attack

Huntress researchers James Northey and Ryan Dowd were instrumental in identifying this threat after detecting anomalous Windows Management Instrumentation (WMI) persistence signals within managed environments. Their investigation traced the malicious activity back to a signed executable named RaceCarTwo.exe, which served as the initial point of the infection chain. Following this, the attack deployed Setup.msi, which then executed a PowerShell script dubbed ClockRemoval.ps1. This script was a potent antivirus killer, not only terminating security processes but also actively blocking any attempts to reinstall them.

A particularly alarming aspect of the incident was a critical vulnerability inherent in the update configuration. The primary update domain, chromsterabrowser[.]com, was found to be unregistered. This meant that any individual could register the domain for approximately $10 and immediately gain the capability to push any payload—be it ransomware, an infostealer, or other malware—to every infected endpoint running the compromised software variant.

Recognizing the severity of this vulnerability, Huntress proactively registered the domain and redirected it to a sinkhole. Within hours, tens of thousands of infected systems began attempting to connect to the sinkhole, seeking instructions. Over a 24-hour monitoring period, 23,565 unique IP addresses connected, unequivocally confirming the extensive scale of active infections globally.

The geographical distribution of the compromised endpoints was broad. The United States reported the highest number of infections, with 12,697 hosts (53.9%). France followed with 2,803 (11.9%), Canada with 2,380 (10.1%), the United Kingdom with 2,223 (9.4%), and Germany with 2,045 (8.7%).

Among the total infections, 324 were linked to high-value networks. This included 221 universities and colleges, 41 operational technology networks critical to electric utilities and infrastructure, 35 government entities, 24 primary and secondary schools, and 3 healthcare organizations. Several Fortune 500 companies were also impacted by this widespread compromise.

Inside the AV-Killing Payload

The ClockRemoval.ps1 script represented the core of the attack’s destructive capabilities. Once deployed via the MSI update package, it initiated a comprehensive sweep of the infected system. Its actions included terminating antivirus processes, removing their services through registry manipulations, and establishing five scheduled tasks with SYSTEM privileges. These tasks—ClockSetupWmiAtBoot, DisableClockServicesFirst, DisableClockAtStartup, RemoveClockAtLogon, and RemoveClockPeriodic—were designed to ensure that security tools remained disabled at every boot, startup, and at 30-minute intervals.

Furthermore, the script modified the Windows hosts file to redirect update domains for prominent antivirus vendors, including Malwarebytes and Kaspersky, to 0.0.0.0. This effectively severed all potential routes for reinstalling security software. It also added exclusions for Windows Defender for paths such as DGoogle, EMicrosoft, and DDapps, which are suspected staging directories for future malicious payloads. Additionally, Dragon Boss Solutions-signed Chrome binaries were observed running with the flag --simulate-outdated-no-au="01 Jan 2199", which permanently disables Chrome’s auto-update feature.

What You Should Do

  • Inspect WMI event subscriptions for consumer names containing “MbRemoval” or “MbSetup.”
  • Monitor scheduled tasks for any pointing to WMILoad directories or ClockRemoval scripts.
  • Flag and investigate any processes digitally signed by “Dragon Boss Solutions LLC.”
  • Review the Windows hosts file for blocked antivirus vendor domains.
  • Check Windows Defender exclusion paths for suspicious entries such as DGoogle, EMicrosoft, or DDapps.
  • Ensure all security software is up-to-date and conduct thorough system scans.
  • Implement robust endpoint detection and response (EDR) solutions to detect and prevent similar advanced threats.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareransomwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

OpenAI Launches GPT-5.4 for Reverse Engineering, Vulnerability, and Malware Analysis

Next Post

JanaWare Ransomware Uses Adwind RAT to Target Turkish Users

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Apple Hide My Email Flaw Exposed Real User Email Addresses
July 1, 2026
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us