Adware Disables Antivirus on 23,000 Systems
▼ Summary
– A campaign linked to Dragon Boss Solutions LLC has silently disabled antivirus software on over 23,000 endpoints globally using a signed, legitimate update mechanism.
– The attack uses a PowerShell script that kills, uninstalls, and blocks the reinstallation of specific security products from vendors like Malwarebytes and Kaspersky.
– It maintains persistence through scheduled tasks and WMI events, and uses a rapid loop to terminate security processes at system boot.
– Researchers discovered a critical flaw where the attackers’ primary update domain was unregistered, allowing anyone to potentially push malicious payloads to all infected systems.
– Infections were found in 124 countries, with significant numbers on high-value networks including universities, government entities, and electric utilities.
A sophisticated software campaign has been systematically disabling antivirus software on over 23,000 computers globally. This operation, which leverages a legitimate code-signing certificate, uses a commercial update mechanism to deploy a malicious PowerShell script that neutralizes security tools. Researchers from Huntress first documented this antivirus-killing behavior in March 2025, though the initial infection loaders had been active since late 2024.
The attack begins with executables using Advanced Installer to check for updates from remote servers. Once a system is compromised, a script named ClockRemoval.ps1 runs with the highest SYSTEM privileges. Its primary function is to target and dismantle security products from major vendors including Malwarebytes, Kaspersky, McAfee, and ESET.
Before executing its full disruptive capabilities, the payload performs several reconnaissance checks. It verifies administrative rights, scans for virtual machine environments, and examines the Windows registry to identify installed security software. To ensure it survives reboots, the script establishes persistent mechanisms through five scheduled tasks and Windows Management Instrumentation event subscriptions. These are triggered at system startup, user logon, and every 30 minutes.
A particularly aggressive component involves a tight polling loop that relentlessly seeks out and terminates antivirus processes every 100 milliseconds for 20 seconds during boot. This prevents security tools from ever initializing properly. The script goes further by deleting relevant registry keys, silently running vendor uninstallers, and tampering with the system’s hosts file to block antivirus update domains. It also adds exclusions to Windows Defender for suspicious directories, which likely act as staging areas for additional malicious payloads.
A critical discovery by researchers revealed a major vulnerability in the attackers’ own infrastructure. A primary update domain used in the campaign’s configuration was unregistered and available for purchase. This meant a third party could have hijacked the operation and delivered any software, malicious or otherwise, to every infected machine worldwide. Huntress proactively registered this domain to establish a sinkhole, allowing them to monitor the infection’s scope.
Data from this sinkhole painted a stark picture of the threat’s reach. Within a single day, over 23,500 unique IP addresses from 124 countries contacted the domain, seeking instructions. The United States represented the majority of infections at approximately 54 percent, followed by significant numbers in France, Canada, the United Kingdom, and Germany. The campaign infiltrated at least 324 high-value networks, compromising hundreds of universities, dozens of operational technology and government systems, and several healthcare organizations.
The operation has been linked to an entity called Dragon Boss Solutions LLC, based in Sharjah, United Arab Emirates. Public records describe the company’s work as “search monetization research,” and antivirus vendors have historically classified its software as adware with browser-hijacking traits. While the current payload is focused solely on dismantling antivirus defenses, the established update infrastructure presents a severe latent risk. With security software already neutralized on thousands of systems, the operators could easily pivot to deploy ransomware, cryptominers, or data-stealing malware at any moment.
(Source: Infosecurity Magazine)
