Critical Dragon Boss Solutions Vulnerability Exposes 25,000+ Endpoints
Key Takeaways A supply chain attack, dubbed “Dragon Boss,” exposed over 25,000 endpoints globally through a compromised software update mechanism. The attack leveraged signed software...
Key Takeaways
- A supply chain attack, dubbed “Dragon Boss,” exposed over 25,000 endpoints globally through a compromised software update mechanism.
- The attack leveraged signed software from “Dragon Boss Solutions LLC” to deliver payloads that disabled antivirus programs and prevented their reinstallation.
- The critical vulnerability stemmed from an unregistered update domain, chromsterabrowser[.]com, which allowed attackers to push arbitrary malicious code.
- The compromised endpoints included high-value targets such as universities, critical infrastructure, government agencies, and Fortune 500 companies.
- Security researchers at Huntress identified the threat and secured the malicious domain to prevent further compromise, providing detailed mitigation steps.
Widespread Supply Chain Attack Exposes 25,000+ Endpoints Via Dragon Boss Solutions Update Domain
A significant supply chain compromise, now identified as the “Dragon Boss” attack, has led to the exposure of over 25,000 endpoints worldwide. This extensive breach originated from a vulnerability within the update infrastructure of Dragon Boss Solutions and was initially detected through a series of adware alerts that rapidly escalated into a more severe incident. Cybersecurity experts have released a detailed report outlining the specifics of the compromise.
Table Of Content
On March 22, 2026, security alerts began to activate across various managed environments, all pointing to software digitally signed by Dragon Boss Solutions LLC. While the executables initially appeared innocuous, they exploited a built-in update mechanism to execute a multi-stage attack. This sophisticated operation was designed to neutralize antivirus solutions, leaving infected systems completely defenseless.
Dragon Boss Solutions LLC describes its business as “search monetization research.” However, the signed software distributed by the company was found to be facilitating a malicious agenda. These executables, operating with full SYSTEM privileges, covertly downloaded and deployed payloads specifically crafted to disable security products across compromised machines.
The observed behavior of disabling antivirus software was first noted in late March 2025, although the foundational loaders and update components had been present on victim systems since late 2024. The attackers employed Advanced Installer, a legitimate commercial update tool, to deliver MSI and PowerShell-based payloads, thereby cloaking their malicious activities under a guise of legitimacy.
Discovery and Scope of the Attack
Huntress researchers James Northey and Ryan Dowd were instrumental in identifying this threat after detecting anomalous Windows Management Instrumentation (WMI) persistence signals within managed environments. Their investigation traced the malicious activity back to a signed executable named RaceCarTwo.exe, which served as the initial point of the infection chain. Following this, the attack deployed Setup.msi, which then executed a PowerShell script dubbed ClockRemoval.ps1. This script was a potent antivirus killer, not only terminating security processes but also actively blocking any attempts to reinstall them.
A particularly alarming aspect of the incident was a critical vulnerability inherent in the update configuration. The primary update domain, chromsterabrowser[.]com, was found to be unregistered. This meant that any individual could register the domain for approximately $10 and immediately gain the capability to push any payload—be it ransomware, an infostealer, or other malware—to every infected endpoint running the compromised software variant.
Recognizing the severity of this vulnerability, Huntress proactively registered the domain and redirected it to a sinkhole. Within hours, tens of thousands of infected systems began attempting to connect to the sinkhole, seeking instructions. Over a 24-hour monitoring period, 23,565 unique IP addresses connected, unequivocally confirming the extensive scale of active infections globally.
The geographical distribution of the compromised endpoints was broad. The United States reported the highest number of infections, with 12,697 hosts (53.9%). France followed with 2,803 (11.9%), Canada with 2,380 (10.1%), the United Kingdom with 2,223 (9.4%), and Germany with 2,045 (8.7%).
Among the total infections, 324 were linked to high-value networks. This included 221 universities and colleges, 41 operational technology networks critical to electric utilities and infrastructure, 35 government entities, 24 primary and secondary schools, and 3 healthcare organizations. Several Fortune 500 companies were also impacted by this widespread compromise.
Inside the AV-Killing Payload
The ClockRemoval.ps1 script represented the core of the attack’s destructive capabilities. Once deployed via the MSI update package, it initiated a comprehensive sweep of the infected system. Its actions included terminating antivirus processes, removing their services through registry manipulations, and establishing five scheduled tasks with SYSTEM privileges. These tasks—ClockSetupWmiAtBoot, DisableClockServicesFirst, DisableClockAtStartup, RemoveClockAtLogon, and RemoveClockPeriodic—were designed to ensure that security tools remained disabled at every boot, startup, and at 30-minute intervals.
Furthermore, the script modified the Windows hosts file to redirect update domains for prominent antivirus vendors, including Malwarebytes and Kaspersky, to 0.0.0.0. This effectively severed all potential routes for reinstalling security software. It also added exclusions for Windows Defender for paths such as DGoogle, EMicrosoft, and DDapps, which are suspected staging directories for future malicious payloads. Additionally, Dragon Boss Solutions-signed Chrome binaries were observed running with the flag --simulate-outdated-no-au="01 Jan 2199", which permanently disables Chrome’s auto-update feature.
What You Should Do
- Inspect WMI event subscriptions for consumer names containing “MbRemoval” or “MbSetup.”
- Monitor scheduled tasks for any pointing to WMILoad directories or ClockRemoval scripts.
- Flag and investigate any processes digitally signed by “Dragon Boss Solutions LLC.”
- Review the Windows hosts file for blocked antivirus vendor domains.
- Check Windows Defender exclusion paths for suspicious entries such as DGoogle, EMicrosoft, or DDapps.
- Ensure all security software is up-to-date and conduct thorough system scans.
- Implement robust endpoint detection and response (EDR) solutions to detect and prevent similar advanced threats.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.