A troubling report has emerged concerning a software operation associated with Dragon Boss Solutions LLC, which has been surreptitiously disabling antivirus programs on over 23,000 endpoints globally. This alarming development was detailed in a research study released by Huntress on Tuesday. The campaign cleverly employed a legitimate code-signing certificate and a standard update mechanism to facilitate the deployment of a PowerShell-based payload designed to systematically eliminate, uninstall, and obstruct the reinstallation of crucial security tools.
The malicious antivirus-disabling behavior was first detected by Huntress researchers in late March 2025. However, the foundational loaders connected to this operation had reportedly existed on various hosts since late 2024. These executables employed Advanced Installer technology to poll remote servers for Microsoft Installer (MSI) updates. Upon entry, a script designated as ClockRemoval.ps1 was executed with SYSTEM privileges, specifically targeting antivirus products from major companies such as Malwarebytes, Kaspersky, McAfee, and ESET.
### Mechanics of the Attack Chain
The operational specifics of this attack chain reveal an alarming sophistication. Before unleashing its full destructive capabilities, the payload undertakes a thorough assessment of the system. It checks for administrator privileges, detects if it is being executed within virtual machines, and queries the Windows registry for any installed security products. Following this reconnaissance, the payload establishes five scheduled tasks and utilizes Windows Management Instrumentation (WMI) event subscriptions to ensure its persistence across system reboots and logins, triggering every 30 minutes.
What makes this operation particularly insidious is a tightly bound polling loop that seeks and kills processes associated with antivirus software every 100 milliseconds for a duration of 20 seconds upon system startup. This rapid termination of security processes occurs before these tools have the opportunity to initialize. Additionally, the script conducts a meticulous clean-up of registry entries, executes vendor-specific uninstallers in silence, and alters the Windows hosts file to reroute antivirus update domains to a non-existent IP address (0.0.0.0).
In an even more alarming turn, the operation also creates Defender exclusions for specific directories—identified as DGoogle and EMicrosoft—which appear to serve as staging grounds for future payloads.
### The Broader Impact of the Sinkhole Discovery
The research team at Huntress took proactive measures by registering the primary update domain linked to this operation and redirecting it to a sinkhole. Within just 24 hours, an astonishing 23,565 unique IP addresses sought instructions from the newly created sinkhole. The infections were reported across 124 countries, with the United States making up approximately 54% of these connections, followed by France, Canada, the UK, and Germany.
Among the infected networks, Huntress pinpointed 324 instances on high-value systems, including:
– 221 universities and colleges
– 41 operational technology networks, notably within electric utilities
– 35 government organizations
– 3 healthcare entities
According to CrunchBase, Dragon Boss Solutions is headquartered in Sharjah, United Arab Emirates, where it purports to engage in “search monetization research.” Historically, antivirus vendors have classified their software signature as adware, often accompanied by browser hijacking features.
### Potential Future Threats
While the immediate threat posed by this operation involves the neutralization of antivirus protections, Huntress has issued a warning regarding the potential for future malicious payloads. The existing update infrastructure has the capacity to deliver a wide range of harmful payload types. With antivirus defenses already compromised, the operation could rapidly pivot to more devastating threats, including ransomware attacks, cryptomining activities, or data theft, without necessitating further exploitation efforts.
In summary, this operation linked to Dragon Boss Solutions LLC raises serious concerns in the realm of cybersecurity. As traditional protective measures fall victim to sophisticated methods of infiltration, the necessity for advanced defenses and constant vigilance becomes increasingly apparent. Organizations are now faced with the daunting task of reevaluating and rejuvenating their cybersecurity strategies to shield against this growing menace.