How a Signed Adware Operation Silently Disabled Antivirus on 23,000 Hosts Worldwide

A new signed adware operation linked to Dragon Boss Solutions LLC has been quietly disabling antivirus software on more than 23,000 endpoints globally, according to research from Huntress. This campaign, which uses a legitimate code-signing certificate and an off-the-shelf update mechanism, represents a significant threat to enterprise security. In this article, we break down the attack chain, the global impact, and what organizations can do to protect themselves.

Understanding the Signed Adware Operation

This signed adware operation was first observed by Huntress researchers in late March 2025, though the underlying loaders had been present on some systems since late 2024. The attackers used Advanced Installer to poll remote servers for MSI-based updates. Once delivered, a PowerShell script called ClockRemoval.ps1 executed with SYSTEM privileges, targeting security products from Malwarebytes, Kaspersky, McAfee, and ESET.

What makes this attack particularly dangerous is its use of a legitimate code-signing certificate, which helps it evade initial detection. The payload checks for admin status, detects virtual machines, and queries the registry for installed security products before deploying its full capabilities.

Attack Chain Details

After gaining initial access, the payload establishes five scheduled tasks and Windows Management Instrumentation (WMI) event subscriptions to maintain persistence. These tasks trigger at boot, logon, and every 30 minutes. A tight polling loop kills matching antivirus processes every 100 milliseconds for 20 seconds at startup, preventing security tools from initializing.

The script also strips registry entries, runs vendor uninstallers silently, and modifies the Windows hosts file to redirect antivirus update domains to 0.0.0.0. Defender exclusions are added for directories like DGoogle and EMicrosoft, which likely serve as staging areas for follow-on payloads.

Global Impact and Sinkhole Discovery

What elevated the threat was the discovery that a primary update domain in the operation’s configuration was unregistered. Huntress registered the domain first and pointed it to a sinkhole. Within 24 hours, 23,565 unique IP addresses requested instructions. Infections spanned 124 countries, with the US accounting for roughly 54% of connections, followed by France, Canada, the UK, and Germany.

The firm identified 324 infections on high-value networks, including 221 universities and colleges, 41 operational technology networks (including electric utilities), 35 government entities, and three healthcare organizations. This signed adware operation clearly targeted critical infrastructure and educational institutions.

Dragon Boss Solutions: The Company Behind the Attack

According to Crunchbase, Dragon Boss Solutions is based in Sharjah, United Arab Emirates, and describes itself as conducting “search monetization research.” Antivirus vendors have historically categorized their signature as adware with browser-hijacking functionality. While the immediate payload remains an antivirus killer, Huntress warned that the update infrastructure could deliver any payload type, including ransomware, cryptominers, or data theft tools.

For more on similar threats, check out our article on DeepLoad Malware Combines ClickFix With AI-Code to Avoid Detection.

How to Protect Your Organization

To defend against such attacks, ensure your antivirus software is up to date and consider using application whitelisting to block unauthorized executables. Monitor for unusual WMI event subscriptions and scheduled tasks, as these are common persistence mechanisms. Implement network segmentation to limit the spread of infections, and regularly review your code-signing certificate management to prevent abuse.

Additionally, consider using a robust endpoint detection and response (EDR) solution that can detect and block PowerShell-based attacks. Finally, educate your users about the risks of adware and the importance of reporting suspicious activity.

Conclusion

This signed adware operation highlights the evolving threat landscape where attackers use legitimate tools and certificates to bypass security. With over 23,000 hosts affected and a global footprint, organizations must remain vigilant. By understanding the attack chain and implementing proactive defenses, you can reduce the risk of falling victim to such campaigns.