Dragon Boss Solutions signed adware campaign
Campaign
Summary
Hide ▲
Show ▼
The Dragon Boss Solutions campaign used signed adware installers to push SYSTEM-privileged payloads that disabled antivirus and blocked reinstalls, creating a broad follow-on abuse risk. On March 22, the operation reached more than 23,500 infected hosts across 124 countries in a single day. The affected environments included education, utilities, government, healthcare, and other high-value networks. The same update path also left infected machines exposed to further payload delivery if the operator infrastructure were repurposed or taken over.
Related Happenings
Daemon Tools Lite trojanized installer campaign
Campaign
First: 07.05.2026 12:30
Last: 07.05.2026 12:30
Sources 1
About this happening:
A **trojanized Daemon Tools Lite installer campaign** is driving **several thousand infection attempts** across **more than 100 countries**, turning a trusted download into a malw...
Daemon Tools Lite trojanized installer campaign
CampaignAbout this happening: A **trojanized Daemon Tools Lite installer campaign** is driving **several thousand infection attempts** across **more than 100 countries**, turning a trusted download into a malw...
DAEMON Tools Lite trojanized installer wave
Exploitation Wave
First: 06.05.2026 19:43
Last: 06.05.2026 19:43
Sources 1
About this happening:
Trojanized **DAEMON Tools Lite** installers backdoored **thousands of systems** in **more than 100 countries**, turning a trusted download path into a broad infection wave. The co...
DAEMON Tools Lite trojanized installer wave
Exploitation WaveAbout this happening: Trojanized **DAEMON Tools Lite** installers backdoored **thousands of systems** in **more than 100 countries**, turning a trusted download path into a broad infection wave. The co...
DAEMON Tools trojanized-installer stealer and backdoor activity
Malware Activity
First: 05.05.2026 22:21
Last: 05.05.2026 22:21
Sources 1
About this happening:
A **DAEMON Tools** supply-chain compromise is delivering **trojanized installers** that install a **backdoor** and steal system data from downloaded systems. The activity has run...
DAEMON Tools trojanized-installer stealer and backdoor activity
Malware ActivityAbout this happening: A **DAEMON Tools** supply-chain compromise is delivering **trojanized installers** that install a **backdoor** and steal system data from downloaded systems. The activity has run...
AVB Disc Soft hit by network compromise
Incident
First: 05.05.2026 19:07
Last: 05.05.2026 19:07
Sources 1
About this happening:
**DAEMON Tools** suffered a **supply-chain compromise** when **official installers** were **trojanized**, enabling malicious payload delivery and raising the risk of downstream in...
AVB Disc Soft hit by network compromise
IncidentAbout this happening: **DAEMON Tools** suffered a **supply-chain compromise** when **official installers** were **trojanized**, enabling malicious payload delivery and raising the risk of downstream in...
Latest development: 07.05.2026 12:30
Disc Soft released the malware-free Version 12.6 of Daemon Tools Lite on May 5 after being notified of the supply chain attack, removed the affected 12.5.1 package from support, and said the incident was contained after isolating affected systems, removing compromised files from distribution, auditing the build and release pipeline, rebuilding and validating installation packages, and strengthening internal security controls and monitoring.
QUIC RAT delivered through compromised DAEMON Tools installers
Malware Activity
First: 05.05.2026 19:07
Last: 05.05.2026 19:07
Sources 1
About this happening:
A follow-on **QUIC RAT** payload was delivered through compromised **DAEMON Tools installers**, extending the supply-chain intrusion into **remote access** on a small subset of in...
QUIC RAT delivered through compromised DAEMON Tools installers
Malware ActivityAbout this happening: A follow-on **QUIC RAT** payload was delivered through compromised **DAEMON Tools installers**, extending the supply-chain intrusion into **remote access** on a small subset of in...
Latest development: 07.05.2026 12:30
Disc Soft released malware-free Daemon Tools Lite Version 12.6 on May 5 after being notified of the supply chain attack on its build environment, and the affected 12.5.1 build was removed from distribution so users could move to the cleaned release.
Timeline
-
16.04.2026 22:07 1 articles · 1mo ago
Dragon Boss update disables AV and adds persistence
Technical Analysis UpdateDragon Boss Solutions LLC pushed a malicious Advanced Installer update in the early morning hours of March 22, 2025 that disabled ESET, McAfee, Kaspersky, and Malwarebytes detections, established persistence via scheduled tasks, and added Windows Defender exclusions, while Huntress sinkholed the campaign's primary update domain to limit further abuse.
Show sources
- 'Harmless' Global Adware Transforms Into an AV Killer — www.darkreading.com — 16.04.2026 22:07
-
15.04.2026 20:59 1 articles · 1mo ago
Signed PUP alerts uncover the campaign on March 22
Initial DisclosureSecurity researchers discovered a signed adware campaign from Dragon Boss Solutions LLC on March 22 after potentially unwanted program executables triggered alerts in multiple managed environments.
Show sources
- Signed software abused to deploy antivirus-killing scripts — www.bleepingcomputer.com — 15.04.2026 20:59
-
15.04.2026 20:59 1 articles · 1mo ago
Campaign reaches more than 23,500 hosts in 124 countries
Campaign Scope UpdateThe campaign was characterized as a large-scale operation reaching more than 23,500 infected hosts in 124 countries in a single day, with hundreds of infected endpoints in high-value networks, while the unregistered chromsterabrowser[.]com and worldwidewebframework3[.]com domains allowed sinkholing of infected connections.
Show sources
- Signed software abused to deploy antivirus-killing scripts — www.bleepingcomputer.com — 15.04.2026 20:59