A sophisticated supply chain attack orchestrated using a seemingly innocuous software update from Dragon Boss Solutions LLC has exposed over 25,000 endpoints worldwide. The attack, discovered on March 22, 2026, initially presented as a routine adware alert before revealing its true, far more dangerous nature: a multi-stage operation designed to disable critical security software and render systems vulnerable to further exploitation.
Dragon Boss Solutions LLC, which purports to be involved in “search monetization research,” had its signed software exploited to carry out this widespread breach. The executables, running with SYSTEM privileges, silently downloaded and deployed payloads that systematically deactivated antivirus programs and other security defenses on infected machines. Security researchers first noted the anti-antivirus capabilities in late March 2025, although the underlying infection mechanisms had been present since late 2024.
The Dragon Boss Solutions Update Domain Supply Chain Attack Unveiled
The attackers leveraged Advanced Installer, a legitimate update tool, to distribute MSI and PowerShell-based payloads. This approach allowed them to mask their malicious activities behind a veneer of legitimacy. Huntress researchers James Northey and Ryan Dowd identified the threat when Wide Area Network (WMI) persistence signals began triggering across managed environments. Their investigation traced the infection chain back to a signed executable named RaceCarTwo.exe.
Following this initial execution, the attack proceeded with the deployment of Setup.msi. This installer then triggered a PowerShell script, ClockRemoval.ps1. This script proved to be a potent antivirus killer, not only terminating security processes but also actively preventing their reinstallation. This sophisticated payload ensured that even if security software was stopped, it could not be easily restored.
A critical vulnerability discovered in the attack’s configuration was the use of an unregistered update domain, chromsterabrowser[.]com. This oversight allowed any individual or group willing to register the domain for a nominal fee to gain control over all infected endpoints running that specific software variant. This meant they could push any subsequent payload, such as ransomware or infostealers, to tens of thousands of systems.
Huntress researchers quickly registered the domain and pointed it to a sinkhole, effectively observing the scale of the infection in real-time. Within 24 hours, 23,565 unique IP addresses connected to the sinkhole, confirming the global reach of the ongoing campaign. The United States bore the brunt of the infections, with 12,697 hosts (53.9%), followed by France (2,803 hosts, 11.9%), Canada (2,380 hosts, 10.1%), the United Kingdom (2,223 hosts, 9.4%), and Germany (2,045 hosts, 8.7%).
High-Value Networks Among Affected Targets
The campaign’s impact extended to numerous high-value networks. Among the infected systems, 324 were identified as belonging to critical sectors. This included 221 universities and colleges, 41 operational technology networks associated with electric utilities and critical infrastructure, 35 government entities, 24 primary and secondary schools, and 3 healthcare organizations. Notably, multiple Fortune 500 company networks were also among those compromised, highlighting the broad and significant implications of this supply chain compromise.
Inside the AV-Killing Payload’s Mechanism
The ClockRemoval.ps1 script served as the heart of the attack’s destructive capabilities. Upon deployment via the MSI update package, it initiated a comprehensive system scan. This script systematically terminated antivirus processes, removed their associated services through registry manipulation, and established five scheduled tasks configured to run with SYSTEM privileges. These tasks, named ClockSetupWmiAtBoot, DisableClockServicesFirst, DisableClockAtStartup, RemoveClockAtLogon, and RemoveClockPeriodic, were designed to ensure that security tools were disabled at every boot, startup, and at 30-minute intervals, providing persistent protection for the attackers.
Furthermore, the script modified the Windows hosts file to redirect update domains of major antivirus vendors, including Malwarebytes and Kaspersky, to 0.0.0.0. This effectively blocked any attempts to reinstall these security solutions. The script also created exclusions within Windows Defender for directories believed to be staging areas for future payloads, such as DGoogle, EMicrosoft, and DDapps. Additionally, Dragon Boss Solutions-signed Chrome binaries were observed running with a flag that permanently disabled Chrome’s auto-update functionality, a potential strategy to maintain persistence or prevent the browser from auto-updating to a patched version.
Security teams are advised to actively hunt for WMI event subscriptions containing “MbRemoval” or “MbSetup” in their consumer names. Monitoring scheduled tasks for references to WMILoad directories or ClockRemoval scripts is also crucial. Additionally, flagging any processes signed by Dragon Boss Solutions LLC, inspecting host files for blocked AV vendor domains, and checking Windows Defender exclusion paths for suspicious entries like DGoogle, EMicrosoft, or DDapps are recommended proactive measures. The full details and indicators of compromise have been shared by Huntress, enabling organizations to bolster their defenses.