[{"data":1,"prerenderedAt":154},["ShallowReactive",2],{"article-slug-huntress-uncovers-adware-campaign-exposing-25000-systems-to-supply-chain-attack":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":29,"sources":30,"events":50,"mitre_techniques":57,"mitre_mitigations":79,"d3fend_countermeasures":93,"iocs":104,"cyber_observables":112,"tags":135,"extract_datetime":138,"article_type":139,"impact_scope":140,"pub_date":152,"reading_time_minutes":153,"createdAt":138,"updatedAt":138},"6fcfbd76-a80a-4987-9e57-5c19a01e5f95","huntress-uncovers-adware-campaign-exposing-25000-systems-to-supply-chain-attack","Adware with Fangs: 25,000 Systems Exposed to $10 Supply Chain Hijack by Dragon Boss Solutions","Huntress Uncovers Adware from Dragon Boss Solutions That Disabled AV and Exposed 25,000+ Systems to Trivial Supply Chain Attack","Security firm Huntress has exposed a dangerous operation where adware signed by 'Dragon Boss Solutions' went far beyond typical potentially unwanted programs (PUPs). The software, found on over 25,000 endpoints, used SYSTEM privileges to disable antivirus products and establish persistence. Critically, it used an unregistered domain for updates, `chromsterabrowser[.]com`, which could have been purchased for $10 by any attacker to push ransomware or other malware to all infected systems, including those in government, healthcare, and critical infrastructure networks. Huntress defensively registered the domain to prevent a widespread supply chain attack.","## Executive Summary\nResearchers at **[Huntress](https://www.huntress.com/blog)** have uncovered a high-risk threat masquerading as a common adware or Potentially Unwanted Program (PUP). The software, digitally signed by a UAE-based entity named **Dragon Boss Solutions**, was installed on at least 25,000 systems across 124 countries. While initially appearing as a simple browser hijacker, its capabilities evolved to include aggressive defense evasion techniques. Using a PowerShell payload with SYSTEM privileges, the software systematically disabled security products, blocked their update servers, and established persistence. The most alarming discovery was a critical flaw in its update mechanism: the software attempted to fetch updates from `chromsterabrowser[.]com`, a domain that was unregistered. This created a trivial but catastrophic supply chain risk, as any malicious actor could have registered the domain for about $10 and delivered malware to the entire botnet, which included universities, government agencies, and OT networks.\n\n---\n\n## Threat Overview\nThe operation demonstrates a dangerous evolution from adware to a potent backdoor. The software, once installed, executed a series of malicious actions to entrench itself on the host and eliminate security controls.\n\n**Key TTPs:**\n1.  **Defense Evasion:** A PowerShell script with `SYSTEM` privileges was used to disable a wide range of cybersecurity products. It would terminate their processes, modify the `hosts` file to block communication with update and telemetry servers, and delete registry keys to prevent reinstallation.\n2.  **Persistence:** The malware established persistence through multiple methods, including Windows Management Instrumentation (WMI) event subscriptions and scheduled tasks, ensuring it would survive reboots and removal attempts.\n3.  **Supply Chain Vulnerability:** The core of the threat lay in its insecure update process. The hardcoded update domain, `chromsterabrowser[.]com`, was not registered by the developers. This is a classic example of a dangling domain/subdomain takeover vulnerability. An attacker could simply purchase the domain and configure it to serve a malicious payload in response to the update check-in requests from all 25,000+ infected hosts.\n\n## Impact Assessment\nHuntress's quick action in registering the domain and sinkholing the traffic prevented a potentially devastating attack. The scale of the infection was vast, with 23,565 unique IPs connecting to the sinkhole in just 24 hours. The compromised hosts were not just consumer devices; the analysis identified numerous high-value targets:\n- **221** Universities and colleges\n- **41** Operational Technology (OT) networks (including electric utilities)\n- **35** Government entities\n- **3** Healthcare organizations\n\nA successful supply chain hijack could have led to widespread ransomware deployment, data theft, or espionage across sensitive sectors. The fact that the adware had already disabled local security tools means that any follow-on attack would have had a very high chance of success.\n\n## IOCs\n| Type | Value | Description |\n|---|---|---|\n| domain | `chromsterabrowser[.]com` | Unregistered update domain used by the malware. Now sinkholed by Huntress. |\n| domain | `worldwidewebframework3[.]com` | Another C2 domain associated with the campaign. |\n\n## Detection and Response\n- **Check for IOCs:** Scan network logs for any connections to the domains listed above. Search file systems and registry for artifacts related to Dragon Boss Solutions software.\n- **Review Disabled Services:** On endpoints, check for disabled or non-functioning antivirus and EDR services. Investigate any unauthorized modifications to the `hosts` file (located at `C:\\Windows\\System32\\drivers\\etc\\hosts`).\n- **Hunt for Persistence:** Use tools to inspect WMI event subscriptions and scheduled tasks for suspicious entries created by the adware.\n- **Remove the PUP:** If the software is detected, a thorough removal is required, which may involve manual deletion of files, registry keys, and persistence mechanisms, followed by the re-installation of security tools.\n\n## Mitigation\n- **Application Allowlisting:** Implement application control policies to prevent the execution of unauthorized or untrusted software, including PUPs and adware.\n- **PowerShell Logging:** Enable enhanced PowerShell logging (Module Logging, Script Block Logging) to capture and analyze the execution of potentially malicious scripts.\n- **DNS Sinkholing:** Organizations can proactively sinkhole suspicious or known-bad domains at their own DNS resolvers to prevent connections.\n- **Supply Chain Scrutiny:** This incident serves as a reminder that even seemingly low-risk software can introduce significant supply chain vulnerabilities. Vet all software, even if it is digitally signed.","🤯 A $10 domain could have hijacked 25,000+ systems! Huntress found adware from 'Dragon Boss Solutions' disabling AV and using an unregistered update domain. OT, gov, & healthcare networks were at risk. #SupplyChain #CyberSecurity #Adware","Huntress researchers detail a sophisticated adware campaign by Dragon Boss Solutions that exposed over 25,000 systems, including OT and government networks, to a simple supply chain attack via an unregistered update domain.",[13,14,15],"Supply Chain Attack","Malware","Threat Intelligence","critical",[18,22,25],{"name":19,"type":20,"url":21},"Huntress","security_organization","https://www.huntress.com/",{"name":23,"type":24},"Dragon Boss Solutions","threat_actor",{"name":26,"type":27,"url":28},"PowerShell","technology","https://attack.mitre.org/techniques/T1059/001/",[],[31,36,40,45],{"url":32,"title":33,"friendly_name":34,"website":35},"https://www.securityweek.com/10-domain-could-have-handed-hackers-25k-endpoints-including-in-ot-and-gov-networks/","$10 Domain Could Have Handed Hackers 25k Endpoints, Including in OT and Gov Networks","SecurityWeek","securityweek.com",{"url":37,"title":38,"friendly_name":19,"website":39},"https://www.huntress.com/blog/pups-grow-fangs-dragon-boss-solutions-supply-chain-risk","When PUPs Grow Fangs: Dragon Boss Solutions' $10 Supply Chain Risk","huntress.com",{"url":41,"title":42,"friendly_name":43,"website":44},"https://cybernews.com/security/trusted-adware-app-left-25000-systems-open-to-a-10-supply-chain-hijack/","Trusted adware app left 25,000+ systems open to a $10 supply-chain hijack","Cybernews","cybernews.com",{"url":46,"title":47,"friendly_name":48,"website":49},"https://www.infosecurity-magazine.com/news/adware-exposes-25000-endpoints/","Adware Campaign Exposes 25,000 Endpoints to Supply Chain Hijack","Infosecurity Magazine","infosecurity-magazine.com",[51,54],{"datetime":52,"summary":53},"2025-03-01T00:00:00Z","Adware begins deploying PowerShell-based payload to disable security products.",{"datetime":55,"summary":56},"2026-04-14T00:00:00Z","Huntress publishes their research on the Dragon Boss Solutions adware campaign.",[58,62,66,69,73,76],{"id":59,"name":60,"tactic":61},"T1587.003","Digital Certificates","Resource Development",{"id":63,"name":64,"tactic":65},"T1559.002","Dynamic-Link Library Hijacking","Defense Evasion",{"id":67,"name":26,"tactic":68},"T1059.001","Execution",{"id":70,"name":71,"tactic":72},"T1543.003","Windows Service","Persistence",{"id":74,"name":75,"tactic":65},"T1562.001","Disable or Modify Tools",{"id":77,"name":78,"tactic":65},"T1112","Modify Registry",[80,85,89],{"id":81,"name":82,"description":83,"domain":84},"M1038","Execution Prevention","Use application allowlisting to prevent unauthorized software like this adware from running in the first place.","enterprise",{"id":86,"name":87,"description":88,"domain":84},"M1021","Restrict Web-Based Content","Use DNS filtering services to block connections to known malicious or untrusted domains, including those used by adware.",{"id":90,"name":91,"description":92,"domain":84},"M1047","Audit","Enable and monitor PowerShell script block logging and process creation events to detect malicious script execution and defense evasion techniques.",[94,99],{"technique_id":95,"technique_name":96,"url":97,"recommendation":98,"mitre_mitigation_id":81},"D3-EAL","Executable Allowlisting","https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting","The most effective preventative measure against threats like the Dragon Boss Solutions adware is application allowlisting. By configuring systems to only run explicitly approved applications, organizations can block the initial execution of the PUP. This approach is particularly effective in sensitive environments like OT networks and government systems, which were targeted in this campaign. Instead of relying on blocklists that are always a step behind attackers, allowlisting creates a 'default deny' posture. Implementation should start with critical servers and fixed-function workstations where the software environment is stable. Tools like Windows AppLocker or third-party solutions can be used to enforce these policies based on publisher, path, or file hash.",{"technique_id":100,"technique_name":101,"url":102,"recommendation":103,"mitre_mitigation_id":86},"D3-DNSDL","DNS Denylisting","https://d3fend.mitre.org/technique/d3f:DNSDenylisting","To counter the supply chain risk from the unregistered domain `chromsterabrowser[.]com`, organizations should implement robust DNS filtering. This involves using a DNS security service that blocks access to known malicious domains, phishing sites, and domains associated with PUPs/adware. Even if the adware gets onto a system, DNS filtering can sever its connection to command-and-control and update servers, rendering it inert. Organizations should configure their DNS resolvers to use a security-focused service and ensure that endpoints cannot bypass this control. This technique would have prevented the infected clients from ever reaching the malicious update server, had an attacker registered the domain.",[105,109],{"type":106,"value":107,"description":108},"domain","chromsterabrowser[.]com","Unregistered update domain used by the adware, now sinkholed by Huntress.",{"type":106,"value":110,"description":111},"worldwidewebframework3[.]com","Associated Command and Control domain.",[113,119,124,130],{"type":114,"value":115,"description":116,"context":117,"confidence":118},"file_path","C:\\Windows\\System32\\drivers\\etc\\hosts","The malware modifies this file to block security vendor domains. Monitor for unauthorized changes.","File Integrity Monitoring (FIM)","high",{"type":120,"value":121,"description":122,"context":123,"confidence":118},"command_line_pattern","powershell.exe -ExecutionPolicy Bypass -Command *Set-MpPreference -DisableRealtimeMonitoring $true*","A command pattern used to disable Microsoft Defender's real-time monitoring via PowerShell.","Windows Event ID 4688 (Process Creation) with command line logging enabled",{"type":125,"value":126,"description":127,"context":128,"confidence":129},"registry_key","HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\","The malware creates scheduled tasks for persistence. Look for suspicious tasks not associated with legitimate software.","Registry monitoring tools or manual inspection","medium",{"type":131,"value":132,"description":133,"context":134,"confidence":129},"log_source","WMI Activity (Event ID 5861)","The malware uses WMI event subscriptions for persistence. Monitoring for new WMI permanent event consumer creation can detect this activity.","Windows Event Log (Microsoft-Windows-WMI-Activity/Operational)",[136,13,19,23,137,26,65],"Adware","PUP","2026-04-15T15:00:00.000Z","NewsArticle",{"geographic_scope":141,"countries_affected":142,"industries_affected":144,"other_affected":149,"people_affected_estimate":151},"global",[143],"United States",[145,146,147,148],"Education","Government","Healthcare","Critical Infrastructure",[150],"Operational Technology (OT) networks","25,000+ systems","2026-04-15",4,1776358264186]