Antivirus termination via signed PUP update chain enabled by unregistered domains

First reported

15.04.2026 20:59

Last updated

16.04.2026 22:07

2 unique sources, 2 articles

Summary

Hide ▲

A signed adware ecosystem from Dragon Boss Solutions LLC leveraging browsers like Chromstera and Artificius deployed SYSTEM-level antivirus-killing scripts via an abused Advanced Installer update mechanism across at least 23,500 hosts in 124 countries. The campaign’s malicious payload was pushed globally on March 22, 2025, using AI-assisted scripts to disable protections for ESET, McAfee, Kaspersky, and Malwarebytes while establishing persistence via scheduled tasks and Windows Defender exclusions. The primary update domain (chromsterabrowser[.]com) remained unregistered until researchers sinkholed it, exposing a latent risk where arbitrary payloads could have been delivered to already compromised systems. High-value targets included government entities, OT networks in energy/transport, 221 higher education institutions, 35 municipal governments, and Fortune 500 networks, with some infections dating back to 2022.

Timeline

15.04.2026 20:59 2 articles · 2d ago

AV-terminating PUP update chain abuses signed Dragon Boss Solutions browsers to disable protections on 23.5k+ hosts
Signed PUP browsers from Dragon Boss Solutions LLC deployed SYSTEM-level AV killers via abused Advanced Installer update mechanism. The MSI-based payload (disguised as a GIF) included PowerShell scripts that disabled AV products by terminating services, deleting files, uninstalling software, and blocking vendor domains via hosts file modifications. Reconnaissance targeted Malwarebytes, Kaspersky, McAfee, and ESET. Infected hosts spanned 124 countries, with 324 high-value targets identified in education, OT/critical infrastructure, government, healthcare, and Fortune 500 networks. The primary update domain (chromsterabrowser[.]com) was unregistered until researchers sinkholed it, revealing potential for arbitrary payload delivery to already compromised systems. Additional context from the new article confirms the UAE-based Dragon Boss Solutions LLC as the actor, the malicious update deployment at approximately 03:00 UTC on March 22, 2025, and AI-assisted development of the payload. Persistence was established via scheduled tasks and Windows Defender exclusions to prevent interference with future payloads. The sinkholing effort by Huntress researchers confirmed infections across 23,500+ systems, with 50% located in the US, and revealed high-value targets including 35 government entities, 41 OT networks, 221 higher education institutions, and Fortune 500 companies. Some infections dated back to 2022, suggesting bundled adware distribution methods.
Show sources

Signed software abused to deploy antivirus-killing scripts — www.bleepingcomputer.com — 15.04.2026 20:59

'Harmless' Global Adware Transforms Into an AV Killer — www.darkreading.com — 16.04.2026 22:07
Open in new tab

Information Snippets

Signed executables from Dragon Boss Solutions LLC (e.g., Chromstera Browser, Chromnius, WorldWideWeb, Web Genius, Artificius Browser) were distributed as PUPs with an embedded update mechanism that deployed MSI and PowerShell payloads.
First reported: 15.04.2026 20:59

2 sources, 2 articles
Show sources
- Signed software abused to deploy antivirus-killing scripts — www.bleepingcomputer.com — 15.04.2026 20:59
- 'Harmless' Global Adware Transforms Into an AV Killer — www.darkreading.com — 16.04.2026 22:07
The update process used Advanced Installer’s commercial tooling to silently install MSI payloads with SYSTEM privileges, disable user interaction, and enforce automatic updates.
First reported: 15.04.2026 20:59

2 sources, 2 articles
Show sources
- Signed software abused to deploy antivirus-killing scripts — www.bleepingcomputer.com — 15.04.2026 20:59
- 'Harmless' Global Adware Transforms Into an AV Killer — www.darkreading.com — 16.04.2026 22:07
Payloads included a reconnaissance phase querying admin status, VM detection, internet connectivity, and registry keys for AV products from Malwarebytes, Kaspersky, McAfee, and ESET.
First reported: 15.04.2026 20:59

2 sources, 2 articles
Show sources
- Signed software abused to deploy antivirus-killing scripts — www.bleepingcomputer.com — 15.04.2026 20:59
- 'Harmless' Global Adware Transforms Into an AV Killer — www.darkreading.com — 16.04.2026 22:07
The ClockRemoval.ps1 script disabled AV protections by stopping services, killing processes, deleting directories/registry entries, running silent uninstallers, and force-deleting files when uninstallation failed.
First reported: 15.04.2026 20:59

2 sources, 2 articles
Show sources
- Signed software abused to deploy antivirus-killing scripts — www.bleepingcomputer.com — 15.04.2026 20:59
- 'Harmless' Global Adware Transforms Into an AV Killer — www.darkreading.com — 16.04.2026 22:07
The script also blocked AV vendor domains via hosts file modifications and null-routing (0.0.0.0), preventing reinstalls or updates, and executed routines at boot, logon, and every 30 minutes.
First reported: 15.04.2026 20:59

2 sources, 2 articles
Show sources
- Signed software abused to deploy antivirus-killing scripts — www.bleepingcomputer.com — 15.04.2026 20:59
- 'Harmless' Global Adware Transforms Into an AV Killer — www.darkreading.com — 16.04.2026 22:07
The primary update domain (chromsterabrowser[.]com) was unregistered at discovery, enabling researchers to sinkhole traffic from tens of thousands of infected endpoints.
First reported: 15.04.2026 20:59

2 sources, 2 articles
Show sources
- Signed software abused to deploy antivirus-killing scripts — www.bleepingcomputer.com — 15.04.2026 20:59
- 'Harmless' Global Adware Transforms Into an AV Killer — www.darkreading.com — 16.04.2026 22:07
High-value targets included 221 academic institutions, 41 OT networks in energy/transport, 35 municipal governments/public utilities, 24 primary/secondary schools, 3 healthcare organizations, and networks of multiple Fortune 500 companies.
First reported: 15.04.2026 20:59

2 sources, 2 articles
Show sources
- Signed software abused to deploy antivirus-killing scripts — www.bleepingcomputer.com — 15.04.2026 20:59
- 'Harmless' Global Adware Transforms Into an AV Killer — www.darkreading.com — 16.04.2026 22:07
Dragon Boss Solutions LLC’s website was reported as non-operational, and attempts to contact the company were unsuccessful.
First reported: 15.04.2026 20:59

1 source, 1 article
Show sources
- Signed software abused to deploy antivirus-killing scripts — www.bleepingcomputer.com — 15.04.2026 20:59
Dragon Boss Solutions LLC is described as a UAE-registered entity with a Crunchbase profile claiming to specialize in adware monetization for browser extensions and applications.
First reported: 16.04.2026 22:07

1 source, 1 article
Show sources
- 'Harmless' Global Adware Transforms Into an AV Killer — www.darkreading.com — 16.04.2026 22:07
The malicious update was pushed globally at approximately 03:00 UTC on March 22, 2025, using Advanced Installer's automated update mechanism.
First reported: 16.04.2026 22:07

1 source, 1 article
Show sources
- 'Harmless' Global Adware Transforms Into an AV Killer — www.darkreading.com — 16.04.2026 22:07
The payload included AI-generated inline code comments describing its malicious actions, suggesting possible AI-assisted development.
First reported: 16.04.2026 22:07

1 source, 1 article
Show sources
- 'Harmless' Global Adware Transforms Into an AV Killer — www.darkreading.com — 16.04.2026 22:07
Persistence was established via scheduled tasks and Windows Defender exclusions to prevent interference with future payloads.
First reported: 16.04.2026 22:07

1 source, 1 article
Show sources
- 'Harmless' Global Adware Transforms Into an AV Killer — www.darkreading.com — 16.04.2026 22:07
The primary update domain (chromsterabrowser[.]com) was unregistered and left exposed, allowing third parties to potentially hijack the campaign.
First reported: 16.04.2026 22:07

1 source, 1 article
Show sources
- 'Harmless' Global Adware Transforms Into an AV Killer — www.darkreading.com — 16.04.2026 22:07
Huntress researchers sinkholed the campaign after identifying the unregistered domain, confirming infections across 23,500+ systems in 124 countries with 50% located in the US.
First reported: 16.04.2026 22:07

1 source, 1 article
Show sources
- 'Harmless' Global Adware Transforms Into an AV Killer — www.darkreading.com — 16.04.2026 22:07
High-value targets included 35 government entities, 41 OT networks, 221 higher education institutions, and Fortune 500 companies, with some infections dating back to 2022.
First reported: 16.04.2026 22:07

1 source, 1 article
Show sources
- 'Harmless' Global Adware Transforms Into an AV Killer — www.darkreading.com — 16.04.2026 22:07

Similar Happenings

Predator Spyware Exploits Zero-Click Infection Vector via Malicious Ads

Predator spyware, developed by Intellexa, has been using a zero-click infection mechanism called Aladdin, which infects targets by displaying malicious advertisements. This vector is hidden behind shell companies across multiple countries and leverages the commercial mobile advertising system to deliver malware. The spyware is still operational and actively developed, with additional delivery vectors like Triton targeting Samsung Exynos devices. The infection occurs when a target views a malicious ad, which triggers a redirection to Intellexa’s exploit delivery servers. The ads are served through a complex network of advertising firms, making defense measures challenging. Despite sanctions and investigations, including fines from the Greek Data Protection Authority, Intellexa remains active and prolific in zero-day exploitation. Recent leaks reveal that Intellexa's Predator spyware has been marketed under various names, including Helios, Nova, Green Arrow, and Red Arrow. The spyware exploits multiple zero-day vulnerabilities in Android and iOS devices, and uses frameworks like JSKit for native code execution. Intellexa also has the capability to remotely access the surveillance systems of its customers using TeamViewer. The spyware collects extensive data from targeted devices, including messaging apps, calls, emails, device locations, screenshots, passwords, and other on-device information. New research has confirmed that Predator spyware was used to target an Angolan journalist, Teixeira Cândido, in May 2024 via a WhatsApp link. The infection lasted less than one day and was removed when the device was restarted. Attackers made 11 additional attempts to re-infect the device, all of which failed. Predator spyware incorporates advanced anti-analysis mechanisms and has explicit checks to avoid running in U.S. and Israeli locales.

Open in new tab

AI-Enhanced Malware Campaign Targeting Multiple Sectors

The AI-enhanced malware campaign, dubbed EvilAI, continues to target organizations globally, with infections confirmed in multiple regions including Europe, the Americas, and the Asia, Middle East, and Africa (AMEA) region. The malware, disguised as legitimate productivity and AI-enhanced apps, has infected hundreds of victims across manufacturing, government, healthcare, technology, and retail sectors. The campaign uses various propagation methods, including newly registered websites, malicious ads, SEO manipulation, and promoted download links on forums and social media. The malware performs extensive reconnaissance, disables security products, and uses obfuscation techniques to avoid detection, acting as an initial access broker for future exploit activity. The campaign, first identified in September 2025, has been observed using AI tools to distribute malware. The malware is concealed within seemingly legitimate apps, leveraging digital signatures and realistic features to evade detection. The threat actors behind the campaign are highly capable, using sophisticated techniques to make the malware appear authentic. The malware uses NeutralinoJS to execute JavaScript code and siphon sensitive data, employing Unicode homoglyphs to bypass detection. The presence of multiple code-signing publishers suggests a shared malware-as-a-service provider or a code-signing marketplace.