'Anyone with $10 could have walked straight through': Report warns this legit-looking software is actually antivirus-killing adware

News
By published

Annoying adware turned out to be a lot more dangerous

Phishing, E-Mail, Network Security, Computer Hacker, Cloud Computing Cyber Security 3d Illustration
(Image credit: Shutterstock)
  • Huntress sinkholes adware signed by Dragon Boss Solutions LLC
  • Malware disabled antivirus, left open update domains exploitable for $10
  • Tens of thousands of endpoints compromised, including universities, OT networks, governments, and Fortune 500 firms

Security researchers Huntress recently stumbled upon a piece of adware that, by all accounts, should have been a boring, run-of-the-mill ad-displaying nuisance. However, what they found under the surface raised a few eyebrows and warranted deeper investigation.

In late March 2026, Huntress was alerted to a piece of software signed by a company called Dragon Boss Solutions LLC. This company, allegedly working on “search monetization research” (but instead just displaying unwanted ads and redirects to people) came with an advanced update mechanism that disabled antivirus programs and prevented them from being started again.

While analyzing how the malware worked, the researchers discovered that the threat actors did not register the main update domain, or the fallback one which, at the same time, presented a major risk and a huge opportunity to do good.

Article continues below

Severing the ties

“More concerning is it turned out to have an open door baked right into its update configuration, one which anyone with $10 could have walked straight through,” Huntress said. In other words, someone could have registered these domains and thus taken control over a vast network of infected computers.

Instead, it was Huntress who bought the domains, effectively sinkholing the connection from all infected hosts.

“Within hours” they saw “tens of thousands of compromised endpoints reach out looking for instructions that, in the wrong hands, could have been anything.”

Analyzing incoming IP addresses, Huntress researchers found 324 infected devices in high-value places, including 221 academic institutions, 41 Operational Technology networks in the energy and transport sectors, 35 municipal governments, state agencies, and public utilities, 24 primary and secondary educational institutions, and 3 healthcare organizations. Furthermore, networks of multiple Fortune 500 companies were compromised, as well.

To stay safe, the researchers recommend system admins look for WMI event subscriptions containing “MbRemoval” or “MbSetup,” scheduled tasks referencing “WMILoad” or “ClockRemoval,” and processes signed by Dragon Boss Solutions LLC.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.