CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Dragon Boss signed adware disables security products on 23,000+ hosts via WMI persistence and scheduled tasks

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A signed adware operation attributed to Dragon Boss Solutions LLC disabled antivirus and endpoint security products on more than 23,000 hosts across 124 countries by deploying a PowerShell-based payload (ClockRemoval.ps1) that terminated processes, uninstalled security tools, and blocked reinstallation. The campaign abused a legitimate code-signing certificate and an update mechanism to deliver MSI-based payloads, leveraging SYSTEM privileges, WMI event subscriptions, and scheduled tasks to maintain persistence and evade detection. High-value targets included 221 universities, 41 operational technology networks, 35 government entities, and three healthcare organizations.

Timeline

  1. 15.04.2026 17:40 1 articles · 23h ago

    Dragon Boss adware operation disables security products on 23,565 hosts after update domain sinkholing

    After an unregistered primary update domain was sinkholed, 23,565 unique IP addresses from 124 countries connected within 24 hours, confirming global infection footprint and high-value targets including universities, OT networks, government entities, and healthcare organizations. The campaign leveraged signed payloads, SYSTEM privileges, and WMI/scheduled task persistence to systematically disable and uninstall antivirus products from Malwarebytes, Kaspersky, McAfee, and ESET.

    Show sources
    Open in new tab

Information Snippets

  • Dragon Boss Solutions LLC signed the malicious payloads using a legitimate code-signing certificate.

    First reported: 15.04.2026 17:40
    1 source, 1 article
    Show sources

  • Payload execution relied on Advanced Installer to poll remote servers for MSI-based updates, enabling rapid payload delivery and updates.

    First reported: 15.04.2026 17:40
    1 source, 1 article
    Show sources

  • The primary dropper script, ClockRemoval.ps1, executed with SYSTEM privileges and targeted antivirus products from Malwarebytes, Kaspersky, McAfee, and ESET.

    First reported: 15.04.2026 17:40
    1 source, 1 article
    Show sources

  • Persistence was achieved via five scheduled tasks and WMI event subscriptions, with the script polling and killing AV processes every 100 milliseconds for 20 seconds at system boot.

    First reported: 15.04.2026 17:40
    1 source, 1 article
    Show sources

  • The operation modified the Windows hosts file to redirect antivirus update domains to 0.0.0.0 and added exclusions for directories such as DGoogle and EMicrosoft.

    First reported: 15.04.2026 17:40
    1 source, 1 article
    Show sources

  • An unregistered primary update domain in the operation’s configuration allowed anyone to push arbitrary payloads to all affected hosts, elevating the threat significantly.

    First reported: 15.04.2026 17:40
    1 source, 1 article
    Show sources

  • A sinkhole was established after domain unregistration; within 24 hours, 23,565 unique IP addresses requested instructions from the sinkhole, spanning 124 countries with the US accounting for 54% of connections.

    First reported: 15.04.2026 17:40
    1 source, 1 article
    Show sources