- Huntress sinkholes adware signed by Dragon Boss Solutions LLC
- Malware disabled antivirus, left open update domains exploitable for $10
- Tens of thousands of endpoints compromised, including universities, OT networks, governments, and Fortune 500 firms
Security researchers Huntress recently stumbled upon a piece of adware that, by all accounts, should have been a boring, run-of-the-mill ad-displaying nuisance. However, what they found under the surface raised a few eyebrows and warranted deeper investigation.
In late March 2026, Huntress was alerted to a piece of software signed by a company called Dragon Boss Solutions LLC. This company, allegedly working on “search monetization research” (but instead just displaying unwanted ads and redirects to people) came with an advanced update mechanism that disabled antivirus programs and prevented them from being started again.
While analyzing how the malware worked, the researchers discovered that the threat actors did not register the main update domain, or the fallback one which, at the same time, presented a major risk and a huge opportunity to do good.
Article continues below
“More concerning is it turned out to have an open door baked right into its update configuration, one which anyone with $10 could have walked straight through,” Huntress said. In other words, someone could have registered these domains and thus taken control over a vast network of infected computers.
Instead, it was Huntress who bought the domains, effectively sinkholing the connection from all infected hosts.
“Within hours” they saw “tens of thousands of compromised endpoints reach out looking for instructions that, in the wrong hands, could have been anything.”
Analyzing incoming IP addresses, Huntress researchers found 324 infected devices in high-value places, including 221 academic institutions, 41 Operational Technology networks in the energy and transport sectors, 35 municipal governments, state agencies, and public utilities, 24 primary and secondary educational institutions, and 3 healthcare organizations. Furthermore, networks of multiple Fortune 500 companies were compromised, as well.
To stay safe, the researchers recommend system admins look for WMI event subscriptions containing “MbRemoval” or “MbSetup,” scheduled tasks referencing “WMILoad” or “ClockRemoval,” and processes signed by Dragon Boss Solutions LLC.
➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security
Follow TechRadar on Google News andadd us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
