Dragon Boss Solutions Signed Software Abused to Disable Antivirus Protection in Global Malware Campaign

A sophisticated and widespread cyber campaign has been identified in which digitally signed software, distributed by Dragon Boss Solutions LLC, is being abused to deploy scripts that systematically disable antivirus (AV) protections on thousands of endpoints worldwide. This campaign leverages the trust inherent in code-signing certificates and the capabilities of commercial installer frameworks to escalate privileges, evade detection, and persistently remove security software. The result is a significant increase in organizational risk, as compromised endpoints are left exposed to further exploitation, data exfiltration, and lateral movement by threat actors. The abuse of signed software in this manner represents a critical evolution in adversarial tactics, undermining traditional trust models and challenging existing endpoint protection paradigms.

The campaign is attributed to the abuse of software signed by Dragon Boss Solutions LLC, a publisher not previously associated with advanced persistent threat (APT) activity. There is currently no direct evidence linking this campaign to known APT groups or nation-state actors. The threat actors behind this operation have demonstrated a high degree of operational security and technical sophistication, leveraging legitimate software supply chains and code-signing infrastructure to distribute their payloads. The infrastructure and techniques observed are modular and could be readily adopted by more advanced adversaries, increasing the risk of further, more damaging campaigns in the future.

The attack chain begins with the distribution of digitally signed adware tools, masquerading as legitimate browsers such as Chromstera Browser, Chromnius, WorldWideWeb, Web Genius, and Artificius Browser. All affected versions are signed by Dragon Boss Solutions LLC. These applications are detected as Potentially Unwanted Programs (PUPs) by multiple security vendors but are often able to bypass initial scrutiny due to their valid digital signatures.

Upon execution, the software leverages the update mechanism of the commercial Advanced Installer tool to silently deploy malicious payloads with SYSTEM-level privileges. The update process fetches an MSI payload, typically named Setup.msi and disguised as a GIF image, from attacker-controlled domains such as chromsterabrowser[.]com and worldwidewebframework3[.]com. The MSI package contains legitimate DLLs and a configuration file (!_StringData) that provides custom instructions for the installer.

The installer performs reconnaissance by checking for administrative privileges, the presence of virtual machines, internet connectivity, and querying the Windows registry for installed AV products, specifically targeting Malwarebytes, Kaspersky, McAfee, and ESET. If AV products are detected, a PowerShell script named ClockRemoval.ps1 is deployed. This script is engineered to stop AV services and processes, delete installation directories and registry entries, execute vendor uninstallers (or forcibly remove files if uninstallers fail), and block AV vendor domains by modifying the Windows hosts file to null-route (0.0.0.0) critical update and telemetry endpoints.

Persistence is achieved through the creation of scheduled tasks (such as “WMILoad” and “ClockRemoval”) and Windows Management Instrumentation (WMI) event subscriptions (such as “MbRemoval” and “MbSetup”). The script is configured to execute at system boot, user logon, and every 30 minutes, ensuring that AV software remains disabled and that any attempts at remediation are thwarted. The update mechanism is further hardened to prevent users from disabling updates, and it regularly checks for new payloads, allowing the attackers to maintain control and potentially escalate their activities.

The abuse of code-signing certificates and commercial installer frameworks enables the attackers to bypass many traditional security controls, including application whitelisting and endpoint detection and response (EDR) solutions that rely on publisher trust. The campaign’s modular design and use of legitimate infrastructure make detection and remediation particularly challenging.

This campaign has been observed at scale, with over 23,500 infected hosts identified across 124 countries. High-value targets include academic institutions, operational technology networks in energy, transport, and critical infrastructure, municipal governments, state agencies, public utilities, primary and secondary educational institutions, healthcare organizations, and multiple Fortune 500 company networks. The attackers’ infrastructure is capable of delivering additional, potentially more destructive payloads, and the campaign remains active as of the latest reporting.

The abuse of Advanced Installer’s update mechanism for privileged, silent payload delivery, combined with the use of digitally signed binaries, has enabled the attackers to evade detection and maintain persistence in a wide variety of environments. The campaign’s reliance on legitimate software supply chains and code-signing infrastructure represents a significant escalation in adversarial tradecraft.

The campaign’s victims are distributed globally, with significant concentrations in North America, Europe, and Asia. The most heavily impacted sectors include academic institutions (221 confirmed cases), operational technology networks in energy, transport, and critical infrastructure (41), municipal governments, state agencies, and public utilities (35), primary and secondary educational institutions (24), healthcare organizations (3), and multiple Fortune 500 company networks. The targeting appears opportunistic, with a focus on maximizing infection rates and disabling security controls across a broad range of organizations. The attackers’ ability to compromise high-value networks and critical infrastructure underscores the severity of the threat.

Organizations are strongly advised to take immediate action to detect and remediate infections associated with this campaign. Detection efforts should focus on identifying processes signed by Dragon Boss Solutions LLC, auditing WMI event subscriptions for “MbRemoval” or “MbSetup”, reviewing scheduled tasks for “WMILoad” or “ClockRemoval”, inspecting the Windows hosts file for AV vendor domain blocks, and checking Microsoft Defender exclusions for suspicious paths such as DGoogle, EMicrosoft, and DDapps.

Immediate remediation steps include removing any software signed by Dragon Boss Solutions LLC, restoring AV software and verifying its integrity, removing malicious scheduled tasks, WMI subscriptions, and hosts file modifications, and monitoring for re-infection attempts. Organizations should also block the attacker-controlled domains chromsterabrowser[.]com and worldwidewebframework3[.]com at the network perimeter.

Long-term mitigation strategies should include strengthening software supply chain security, implementing application control policies that do not rely solely on code-signing trust, and enhancing endpoint monitoring for anomalous behavior associated with installer frameworks and privilege escalation. Regular audits of scheduled tasks, WMI subscriptions, and hosts file entries should be incorporated into security operations workflows.

• BleepingComputer: Signed software abused to deploy antivirus-killing scripts
• Huntress Labs: Technical Analysis
• Infosecurity Magazine: Dragon Boss Adware Disables Antivirus
• MITRE ATT&CK Framework
• Reddit: Community Discussion

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their extended supply chain. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify and respond to emerging threats, ensuring resilience in an increasingly complex digital landscape.

For further questions or incident response support, we are happy to assist at ops@rescana.com.

• Cybersecurity Incident Analysis