Adware with Fangs: 25,000 Systems Exposed to $10 Supply Chain Hijack by Dragon Boss Solutions

Huntress Uncovers Adware from Dragon Boss Solutions That Disabled AV and Exposed 25,000+ Systems to Trivial Supply Chain Attack

CRITICAL
April 15, 2026
4m read
Supply Chain AttackMalwareThreat Intelligence

Impact Scope

People Affected

25,000+ systems

Industries Affected

EducationGovernmentHealthcareCritical Infrastructure

Geographic Impact

United States (global)

Related Entities

Threat Actors

Dragon Boss Solutions

Organizations

Huntress

Products & Tech

PowerShell

MITRE ATT&CK Techniques

T1587.003Resource Development

Digital Certificates

T1559.002Defense Evasion

Dynamic-Link Library Hijacking

T1059.001Execution

PowerShell

T1543.003Persistence

Windows Service

T1562.001Defense Evasion

Disable or Modify Tools

T1112Defense Evasion

Modify Registry

Full Report

Executive Summary

Researchers at Huntress have uncovered a high-risk threat masquerading as a common adware or Potentially Unwanted Program (PUP). The software, digitally signed by a UAE-based entity named Dragon Boss Solutions, was installed on at least 25,000 systems across 124 countries. While initially appearing as a simple browser hijacker, its capabilities evolved to include aggressive defense evasion techniques. Using a PowerShell payload with SYSTEM privileges, the software systematically disabled security products, blocked their update servers, and established persistence. The most alarming discovery was a critical flaw in its update mechanism: the software attempted to fetch updates from chromsterabrowser[.]com, a domain that was unregistered. This created a trivial but catastrophic supply chain risk, as any malicious actor could have registered the domain for about $10 and delivered malware to the entire botnet, which included universities, government agencies, and OT networks.

Threat Overview

The operation demonstrates a dangerous evolution from adware to a potent backdoor. The software, once installed, executed a series of malicious actions to entrench itself on the host and eliminate security controls.

Key TTPs:

  1. Defense Evasion: A PowerShell script with SYSTEM privileges was used to disable a wide range of cybersecurity products. It would terminate their processes, modify the hosts file to block communication with update and telemetry servers, and delete registry keys to prevent reinstallation.
  2. Persistence: The malware established persistence through multiple methods, including Windows Management Instrumentation (WMI) event subscriptions and scheduled tasks, ensuring it would survive reboots and removal attempts.
  3. Supply Chain Vulnerability: The core of the threat lay in its insecure update process. The hardcoded update domain, chromsterabrowser[.]com, was not registered by the developers. This is a classic example of a dangling domain/subdomain takeover vulnerability. An attacker could simply purchase the domain and configure it to serve a malicious payload in response to the update check-in requests from all 25,000+ infected hosts.

Impact Assessment

Huntress's quick action in registering the domain and sinkholing the traffic prevented a potentially devastating attack. The scale of the infection was vast, with 23,565 unique IPs connecting to the sinkhole in just 24 hours. The compromised hosts were not just consumer devices; the analysis identified numerous high-value targets:

  • 221 Universities and colleges
  • 41 Operational Technology (OT) networks (including electric utilities)
  • 35 Government entities
  • 3 Healthcare organizations

A successful supply chain hijack could have led to widespread ransomware deployment, data theft, or espionage across sensitive sectors. The fact that the adware had already disabled local security tools means that any follow-on attack would have had a very high chance of success.

IOCs

Type Value Description
domain chromsterabrowser[.]com Unregistered update domain used by the malware. Now sinkholed by Huntress.
domain worldwidewebframework3[.]com Another C2 domain associated with the campaign.

Detection and Response

  • Check for IOCs: Scan network logs for any connections to the domains listed above. Search file systems and registry for artifacts related to Dragon Boss Solutions software.
  • Review Disabled Services: On endpoints, check for disabled or non-functioning antivirus and EDR services. Investigate any unauthorized modifications to the hosts file (located at C:\Windows\System32\drivers\etc\hosts).
  • Hunt for Persistence: Use tools to inspect WMI event subscriptions and scheduled tasks for suspicious entries created by the adware.
  • Remove the PUP: If the software is detected, a thorough removal is required, which may involve manual deletion of files, registry keys, and persistence mechanisms, followed by the re-installation of security tools.

Mitigation

  • Application Allowlisting: Implement application control policies to prevent the execution of unauthorized or untrusted software, including PUPs and adware.
  • PowerShell Logging: Enable enhanced PowerShell logging (Module Logging, Script Block Logging) to capture and analyze the execution of potentially malicious scripts.
  • DNS Sinkholing: Organizations can proactively sinkhole suspicious or known-bad domains at their own DNS resolvers to prevent connections.
  • Supply Chain Scrutiny: This incident serves as a reminder that even seemingly low-risk software can introduce significant supply chain vulnerabilities. Vet all software, even if it is digitally signed.

Timeline of Events

1
March 1, 2025
Adware begins deploying PowerShell-based payload to disable security products.
2
April 14, 2026
Huntress publishes their research on the Dragon Boss Solutions adware campaign.
3
April 15, 2026
This article was published

MITRE ATT&CK Mitigations

Execution Prevention

M1038enterprise

Use application allowlisting to prevent unauthorized software like this adware from running in the first place.

Restrict Web-Based Content

M1021enterprise

Use DNS filtering services to block connections to known malicious or untrusted domains, including those used by adware.

Audit

M1047enterprise

Enable and monitor PowerShell script block logging and process creation events to detect malicious script execution and defense evasion techniques.

D3FEND Defensive Countermeasures

Executable Allowlisting

D3-EALMaps to MITREM1038
D3FEND

The most effective preventative measure against threats like the Dragon Boss Solutions adware is application allowlisting. By configuring systems to only run explicitly approved applications, organizations can block the initial execution of the PUP. This approach is particularly effective in sensitive environments like OT networks and government systems, which were targeted in this campaign. Instead of relying on blocklists that are always a step behind attackers, allowlisting creates a 'default deny' posture. Implementation should start with critical servers and fixed-function workstations where the software environment is stable. Tools like Windows AppLocker or third-party solutions can be used to enforce these policies based on publisher, path, or file hash.

DNS Denylisting

D3-DNSDLMaps to MITREM1021
D3FEND

To counter the supply chain risk from the unregistered domain chromsterabrowser[.]com, organizations should implement robust DNS filtering. This involves using a DNS security service that blocks access to known malicious domains, phishing sites, and domains associated with PUPs/adware. Even if the adware gets onto a system, DNS filtering can sever its connection to command-and-control and update servers, rendering it inert. Organizations should configure their DNS resolvers to use a security-focused service and ensure that endpoints cannot bypass this control. This technique would have prevented the infected clients from ever reaching the malicious update server, had an attacker registered the domain.

Sources & References

$10 Domain Could Have Handed Hackers 25k Endpoints, Including in OT and Gov Networks
SecurityWeek (securityweek.com)
When PUPs Grow Fangs: Dragon Boss Solutions' $10 Supply Chain Risk
Huntress (huntress.com)
Trusted adware app left 25,000+ systems open to a $10 supply-chain hijack
Cybernews (cybernews.com)
Adware Campaign Exposes 25,000 Endpoints to Supply Chain Hijack
Infosecurity Magazine (infosecurity-magazine.com)

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

AdwareSupply Chain AttackHuntressDragon Boss SolutionsPUPPowerShellDefense Evasion

📢 Share This Article

Help others stay informed about cybersecurity threats