Researchers have uncovered a significant campaign where a digitally signed adware tool was used to deploy payloads running with SYSTEM privileges, effectively disabling antivirus protections on thousands of endpoints. These endpoints span diverse sectors, including education, utilities, government, and healthcare. In a single day, researchers observed over 23,500 infected hosts in 124 countries attempting to connect to the operator's infrastructure, with hundreds of infected endpoints present within high-value networks. ### More Than Just Adware Security researchers at **Huntress** discovered the campaign on March 22nd, noting that signed executables, classified as potentially unwanted programs (PUPs), were triggering alerts in multiple managed environments. PUPs are generally considered a nuisance, primarily generating revenue through advertisements. However, this campaign demonstrates a more sinister evolution. The software was signed by a company called **Dragon Boss Solutions LLC**, which Huntress says is involved in "search monetization research" and promotes various tools like **Chromstera Browser**, **Chromnius**, **WorldWideWeb**, **Web Genius**, and **Artificius Browser**. These tools are often flagged as PUPs by security solutions.  Beyond the typical annoyances of ads and redirects, these browsers feature an advanced update mechanism that deploys an antivirus killer. ### Deactivating Security Huntress discovered that the operation leveraged the update mechanism from the commercial **Advanced Installer** authoring tool to deploy MSI and PowerShell payloads. The configuration file for the update process revealed flags indicating a completely silent operation with no user interaction. The payloads were installed with elevated (SYSTEM) privileges, preventing users from disabling automatic updates and frequently checking for new updates. The update process retrieves an MSI payload (Setup.msi) disguised as a GIF image, which is flagged as malicious on **VirusTotal** by a limited number of security vendors. This MSI payload includes legitimate DLLs used by Advanced Installer for tasks like executing PowerShell scripts and identifying specific software. Instructions for the installer are contained in a separate file named '<em>!_StringData</em>'. Before deploying the main payload, the MSI installer performs reconnaissance, checking admin status, detecting virtual machines, verifying internet connectivity, and querying the registry for installed antivirus (AV) products from **Malwarebytes**, **Kaspersky**, **McAfee**, and **ESET**. These security products are then disabled using a PowerShell script named <em>ClockRemoval.ps1</em>. .jpg) The *ClockRemoval.ps1* script executes on system boot, logon, and every 30 minutes, ensuring AV products are removed by stopping services, killing processes, deleting installation directories and registry entries, silently running vendor uninstallers, and forcefully deleting files when uninstallers fail. The script also blocks vendor domains by modifying the hosts file and null-routing them (redirecting to 0.0.0.0), preventing reinstallation or updates of the security products. During analysis, Huntress found that the operator hadn't registered the main update domain (<em>chromsterabrowser[.]com</em>) or the fallback (<em>worldwidewebframework3[.]com</em>). This allowed them to sinkhole the connection from infected hosts. By registering the main update domain, Huntress observed "tens of thousands of compromised endpoints reach out looking for instructions that, in the wrong hands, could have been anything." Based on IP addresses, researchers identified 324 infected hosts in high-value networks: * 221 academic institutions in North America, Europe, and Asia * 41 Operational Technology networks in the energy and transport sectors, and at critical infrastructure providers * 35 municipal governments, state agencies, and public utilities * 24 primary and secondary educational institutions * 3 healthcare organizations (hospital systems and healthcare providers) * Networks of multiple Fortune 500 companies BleepingComputer's attempts to contact Dragon Boss Solutions were unsuccessful as their site is no longer operational. Huntress warns that while the tool currently acts as an AV killer, the mechanism could introduce far more dangerous payloads. They recommend system administrators look for WMI event subscriptions containing “MbRemoval” or “MbSetup,” scheduled tasks referencing “WMILoad” or “ClockRemoval,” and processes signed by Dragon Boss Solutions LLC. Additionally, review the hosts file for entries blocking AV vendor domains and check **Microsoft Defender** exclusions for suspicious paths such as “DGoogle,” “EMicrosoft,” or “DDapps.”