ClockRemoval.ps1 antivirus-disabling malware activity linked to Dragon Boss Solutions LLC
Malware Activity
Summary
Hide ▲
Show ▼
A signed software operation linked to Dragon Boss Solutions LLC was observed using ClockRemoval.ps1 to disable antivirus on more than 23,000 endpoints worldwide, raising the risk of follow-on payload delivery and long-lived compromise. The payload targeted Malwarebytes, Kaspersky, McAfee, and ESET, used persistence to stay active, and blocked the reinstallation of security tools. Sinkhole telemetry later showed exposure across 124 countries, including universities, OT networks, government entities, and healthcare organizations.
Related Happenings
Secret Blizzard Kazuar modular P2P botnet
Malware Activity
First: 16.05.2026 17:15
Last: 16.05.2026 17:15
Sources 1
About this happening:
**Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...
Secret Blizzard Kazuar modular P2P botnet
Malware ActivityAbout this happening: **Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...
Pwn2Own Berlin 2026 multi-product zero-days privilege-escalation flaw
Vulnerability
First: 14.05.2026 21:53
Last: 14.05.2026 21:53
Sources 1
About this happening:
**Pwn2Own Berlin 2026** opened with **24 unique zero-days** demonstrated against **fully patched products**, creating immediate exposure across browser, OS, virtualization, enterp...
Pwn2Own Berlin 2026 multi-product zero-days privilege-escalation flaw
VulnerabilityAbout this happening: **Pwn2Own Berlin 2026** opened with **24 unique zero-days** demonstrated against **fully patched products**, creating immediate exposure across browser, OS, virtualization, enterp...
JDownloader website hit by network compromise
Incident
First: 09.05.2026 22:27
Last: 09.05.2026 22:27
Sources 1
About this happening:
The **JDownloader website** suffered a **supply-chain compromise** that replaced official **Windows** and **Linux** installer links with malicious payloads, putting users who down...
JDownloader website hit by network compromise
IncidentAbout this happening: The **JDownloader website** suffered a **supply-chain compromise** that replaced official **Windows** and **Linux** installer links with malicious payloads, putting users who down...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware Activity
First: 08.05.2026 21:12
Last: 08.05.2026 21:12
Sources 1
About this happening:
**TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware ActivityAbout this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBanker self-spreading banking trojan
Malware Activity
First: 08.05.2026 01:06
Last: 08.05.2026 01:06
Sources 1
About this happening:
The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...
TCLBanker self-spreading banking trojan
Malware ActivityAbout this happening: The **TCLBanker** trojan now combines **trojanized installer** delivery with **self-spreading worm modules**, widening access to **59 banking, fintech, and cryptocurrency platform...
Timeline
-
15.04.2026 17:40 2 articles · 1mo ago
ClockRemoval.ps1 antivirus-disabling malware activity linked to Dragon Boss Solutions LLC
Initial DisclosureIn the earliest observed phase, the payload arrived through a legitimate update channel and checked for administrative access before continuing. It then enumerated virtual machines and installed security products as part of the setup for the disabling routine.
Show sources
- Signed Adware Operation Disables Antivirus Across 23,000 Hosts — www.infosecurity-magazine.com — 15.04.2026 17:40
- Signed software abused to deploy antivirus-killing scripts — www.bleepingcomputer.com — 15.04.2026 20:59