- Huntress sinkhole adware signed by Dragon Boss Solutions LLC
- Malware disabled antivirus and left exploitable update domains open for $10
- Tens of thousands of endpoints compromised, including universities, OT networks, governments, and Fortune 500 companies
Huntress security researchers recently stumbled upon an adware that, by all indications, should have been a boring, run-of-the-mill ad display annoyance. However, what they found beneath the surface caught their attention and deserved further investigation.
In late March 2026, Huntress was alerted to software signed by a company called Dragon Boss Solutions LLC. This company, which was supposedly working on “search monetization research” (but instead just showed unwanted ads and redirects to people) came with an advanced update mechanism that disabled antivirus programs and prevented them from launching again.
By analyzing how the malware worked, researchers discovered that the threat actors were not registering the primary or backup update domain, which at the same time presented a significant risk and a great opportunity for good.
Article continues below.
Cutting the ties
“The most concerning thing is that it turned out to have an open door directly into its upgrade settings, one that anyone with $10 could have walked straight through,” Huntress said. In other words, someone could have registered these domains and thus taken control of a vast network of infected computers.
Instead, it was Huntress who purchased the domains, effectively blocking all infected hosts from connecting.
“Within hours,” they saw “tens of thousands of compromised endpoints search for instructions that, in the wrong hands, could have been anything.”
By analyzing incoming IP addresses, Huntress researchers found 324 infected devices in high-value locations, including 221 academic institutions, 41 operational technology networks in the energy and transportation sectors, 35 municipal governments, state agencies and utilities, 24 primary and secondary education institutions, and 3 healthcare organizations. Additionally, the networks of several Fortune 500 companies were also compromised.
To stay safe, researchers recommend system administrators look for WMI event subscriptions containing “MbRemoval” or “MbSetup”, scheduled tasks referencing “WMILoad” or “ClockRemoval”, and processes signed by Dragon Boss Solutions LLC.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
