How a Signed Adware Operation Silently Disabled Antivirus on 23,000 Hosts Worldwide

A new signed adware operation linked to Dragon Boss Solutions LLC has been quietly disabling antivirus software on more than 23,000 endpoints globally, according to research from Huntress. This campaign, which uses a legitimate code-signing certificate and an off-the-shelf update mechanism, represents a significant threat to enterprise security. In this article, we break down the attack chain, the global impact, and what organizations can do to protect themselves.

Understanding the Signed Adware Operation

This signed adware operation was first observed by Huntress researchers in late March 2025, though the underlying loaders had been present on some systems since late 2024. The attackers used Advanced Installer to poll remote servers for MSI-based updates. Once delivered, a PowerShell script called ClockRemoval.ps1 executed with SYSTEM privileges, targeting security products from Malwarebytes, Kaspersky, McAfee, and ESET.

What makes this attack particularly dangerous is its use of a legitimate code-signing certificate, which helps it evade initial detection. The payload checks for admin status, detects virtual machines, and queries the registry for installed security products before deploying its full capabilities.

Attack Chain Details

After gaining initial access, the payload establishes five scheduled tasks and Windows Management Instrumentation (WMI) event subscriptions to maintain persistence. These tasks trigger at boot, logon, and every 30 minutes. A tight polling loop kills matching antivirus processes every 100 milliseconds for 20 seconds at startup, preventing security tools from initializing.

The script also strips registry entries, runs vendor uninstallers silently, and modifies the Windows hosts file to redirect antivirus update domains to 0.0.0.0. Defender exclusions are added for directories like DGoogle and EMicrosoft, which likely serve as staging areas for follow-on payloads.

Global Impact and Sinkhole Discovery

What elevated the threat was the discovery that a primary update domain in the operation’s configuration was unregistered. Huntress registered the domain first and pointed it to a sinkhole. Within 24 hours, 23,565 unique IP addresses requested instructions. Infections spanned 124 countries, with the US accounting for roughly 54% of connections, followed by France, Canada, the UK, and Germany.

The firm identified 324 infections on high-value networks, including 221 universities and colleges, 41 operational technology networks (including electric utilities), 35 government entities, and three healthcare organizations. This signed adware operation clearly targeted critical infrastructure and educational institutions.

Dragon Boss Solutions: The Company Behind the Attack

According to Crunchbase, Dragon Boss Solutions is based in Sharjah, United Arab Emirates, and describes itself as conducting “search monetization research.” Antivirus vendors have historically categorized their signature as adware with browser-hijacking functionality. While the immediate payload remains an antivirus killer, Huntress warned that the update infrastructure could deliver any payload type, including ransomware, cryptominers, or data theft tools.

For more on similar threats, check out our article on DeepLoad Malware Combines ClickFix With AI-Code to Avoid Detection.

How to Protect Your Organization

To defend against such attacks, ensure your antivirus software is up to date and consider using application whitelisting to block unauthorized executables. Monitor for unusual WMI event subscriptions and scheduled tasks, as these are common persistence mechanisms. Implement network segmentation to limit the spread of infections, and regularly review your code-signing certificate management to prevent abuse.

Additionally, consider using a robust endpoint detection and response (EDR) solution that can detect and block PowerShell-based attacks. Finally, educate your users about the risks of adware and the importance of reporting suspicious activity.

Conclusion

This signed adware operation highlights the evolving threat landscape where attackers use legitimate tools and certificates to bypass security. With over 23,000 hosts affected and a global footprint, organizations must remain vigilant. By understanding the attack chain and implementing proactive defenses, you can reduce the risk of falling victim to such campaigns.

Trump’s CISA Nominee Sean Plankey Withdraws, Leaving Agency Without Permanent Leader

The CISA leadership vacancy has deepened after Sean Plankey, President Donald Trump’s twice-nominated pick to lead the Cybersecurity and Infrastructure Security Agency, formally requested to withdraw his nomination. In a letter to the White House on Wednesday, Plankey cited an indefinite Senate holdup, stating it has “become clear” that lawmakers will not confirm him. This leaves the agency, tasked with defending federal civilian networks and critical infrastructure, without a permanent director for the foreseeable future.

Plankey’s decision comes more than a year after his initial nomination. According to reports from The New York Times and Politico, Senator Rick Scott (R-FL) blocked the nomination over a dispute unrelated to cybersecurity—specifically, a Coast Guard contract from Plankey’s tenure as a senior adviser to Coast Guard leadership. With the Senate unable to reach a majority vote, Plankey’s path to confirmation was effectively dead.

What Caused the CISA Leadership Vacuum?

The CISA leadership vacancy is not new. Since Madhu Gottumukkala departed in February after a tumultuous temporary tenure, Nick Andersen has served as acting director. Gottumukkala was appointed in May 2025 but left less than a year later, following several government shutdowns, furloughs, and budget cuts. The agency has struggled to maintain stability amid political headwinds.

Plankey’s withdrawal underscores a broader challenge: the Senate confirmation process for key cybersecurity roles has become increasingly politicized. A single senator’s hold can derail a nomination, leaving agencies like CISA in limbo. This means that critical cybersecurity decisions are being made by acting officials who lack the full authority of a Senate-confirmed leader.

Budget Cuts and Political Pressure on CISA

Adding to the turmoil, the Trump administration recently proposed slashing CISA’s budget by more than $700 million. The justification? Claims that the agency engaged in “censorship” during the 2020 election—a reference to its efforts to counter election misinformation. However, cybersecurity experts argue that these cuts could weaken the nation’s defenses against a rising tide of cyberattacks from state-sponsored groups and criminal networks.

Building on this, the agency has faced at least three government shutdowns in the past year, along with staff reductions and furloughs. Despite these challenges, CISA remains responsible for protecting civilian federal networks and coordinating with private sector partners on critical infrastructure security. The CISA leadership vacancy could not come at a worse time, as threats from ransomware, nation-state espionage, and hacktivism continue to escalate.

The Impact of a Vacant Director Seat

Without a permanent director, CISA may struggle to advocate effectively for its budget and priorities on Capitol Hill. Acting directors often lack the political leverage needed to push through long-term strategies. Furthermore, international partners may view a leaderless agency as a sign of instability, potentially undermining collaboration on cross-border cyber threats.

As a result, the White House faces pressure to nominate a new candidate quickly. However, with the Senate deeply divided, any nominee will likely encounter similar obstacles. For now, Nick Andersen continues to steer the ship, but his authority remains temporary.

What Happens Next for CISA?

The Trump administration has not commented on whether it will accept Plankey’s withdrawal request or announce a new nominee. A White House spokesperson declined to provide details, leaving the agency’s future direction uncertain. Cybersecurity professionals and policymakers alike are watching closely, as the CISA leadership vacancy could shape the nation’s cyber defense posture for years to come.

In the meantime, CISA must continue its mission with limited resources and no permanent leader. This situation highlights a recurring problem in U.S. cybersecurity governance: political infighting often takes precedence over national security needs. To learn more about how leadership gaps affect federal agencies, read our analysis on the risks of vacant director roles. For a deeper dive into CISA’s budget challenges, check out how funding cuts impact cybersecurity operations.

Ultimately, the CISA leadership vacancy is a symptom of a larger issue: the need for a more streamlined confirmation process for critical national security positions. Until that happens, agencies like CISA will remain vulnerable to political gridlock, even as cyber threats grow more sophisticated by the day.

ENISA Aims for Top-Tier Role in CVE Program: What It Means for EU Cybersecurity

The European Union Agency for Cybersecurity (ENISA) is pushing for a more powerful position within the globally recognized Common Vulnerabilities and Exposures (CVE) program. A senior official at the agency confirmed that ENISA is currently undergoing onboarding to become a top-level root CVE Numbering Authority, or TL-Root CNA status. This move could reshape how vulnerabilities are managed across Europe.

Nuno Rodrigues Carvalho, head of sector for Incidents and Vulnerability Services at ENISA, made the announcement during the opening keynote at VulnCon26 in Scottsdale, Arizona. Speaking to Infosecurity Magazine, he expressed hope that the agency would achieve this elevated status by 2026 or early 2027. Currently, only two organizations hold this distinction: the US Cybersecurity and Infrastructure Security Agency (CISA) and MITRE, the nonprofit that operates the program.

What Does TL-Root CNA Status Entail?

To understand the significance of this ambition, it helps to break down the CVE hierarchy. ENISA became a CVE Numbering Authority (CNA) in 2024, which allowed it to assign CVE IDs to newly discovered vulnerabilities. A year later, it advanced to a Root CNA, taking on responsibilities such as overseeing and coordinating multiple CNAs within a specific domain or region, onboarding new CNAs, and resolving disputes.

If granted TL-Root CNA status, ENISA would become a top-level authority managing the entire CVE Program alongside CISA and MITRE. This means setting global policies, ensuring consistency across all Root CNAs and CNAs, and representing European interests at the highest decision-making table. Johannes Kaspar Clos, a responsible disclosure and CSIRT collaboration expert working on CNA service implementation at ENISA, explained that this expanded role offers more than operational leverage. “As a Root CNA, we have a bigger operational footprint,” he said. “Now, as a TL-Root CNA, we would be represented in the CVE Program’s Board, where there is currently no European representatives. We want to help and support the CVE Program to blossom and grow and share our European vision.”

Why Europe Needs More CNAs

Currently, the CVE Program boasts 502 CNAs worldwide, but only 83 are based in Europe. Carvalho acknowledged that while he wouldn’t call Europe “underrepresented,” he believes there should be more European CNAs. “We know that the European market is not as big as the US market, but we’d like to have more representatives from the EU,” he noted.

During his VulnCon speech, Carvalho highlighted that ENISA is already onboarding new CNAs. The agency’s top priority is to vet all national computer emergency response teams (CERTs) and computer security incident response teams (CSIRTs) across Europe to become CNAs. This initiative aims to strengthen the continent’s vulnerability response capabilities and ensure a more balanced global representation.

Addressing the Vulnerability Gap

Both Carvalho and Clos emphasized that the push for greater ENISA involvement came directly from EU member-states. The growing volume and complexity of reported vulnerabilities demand more stakeholders participate in the program. This is especially urgent now that AI companies like OpenAI and Anthropic have launched models capable of autonomously finding and fixing cybersecurity vulnerabilities at scale.

“We need to include a diverse crowd of cybersecurity practitioners, from product and national CERTs and CSIRTs to researchers and vulnerability finders,” Clos said. This diversity is crucial for keeping pace with the rapidly evolving threat landscape.

Building the Team for the Challenge

Carvalho admitted that while the ambition to join the CVE Program’s top tier has been a long-standing goal, ENISA needed time to mature its services and team. “The challenge was always in front of us but was never picked up,” Clos added. “I guess the concerns about software vulnerabilities were not big enough until now.”

To meet this challenge, ENISA is actively hiring. Carvalho noted that the agency is expanding its vulnerability branch to build a critical mass capable of handling tasks like onboarding national CERTs and CSIRTs. “You’ll find vacancy notices on ENISA’s website,” he said. This growth reflects the agency’s commitment to representing EU interests effectively on the CVE Program’s Board.

The Road Ahead: Uncharted Territory

Both Carvalho and Clos described the TL-Root CNA onboarding process as “uncharted territory.” Since CISA and MITRE have operated the program from its inception, no entity has ever been granted this status before. “While it doesn’t depend solely on us, we hope ENISA can become a TL-Root CNA in 2026 or in early 2027. We will do our best for meeting this timeframe,” Carvalho concluded.

This development aligns with the CVE Program’s broader diversification and internationalization strategy. For more insights on how AI is influencing vulnerability management, check out our article on AI Companies to Play Bigger Role in CVE Program, Says CISA. Additionally, learn about the importance of effective vulnerability management strategies for organizations.

As ENISA navigates this complex process, the cybersecurity community watches closely. The agency’s success could herald a new era of collaboration between US and European entities in tackling global vulnerabilities.