What's Happening?
A signed adware operation linked to Dragon Boss Solutions LLC has been disabling antivirus software on over 23,000 endpoints globally. The operation uses a legitimate code-signing certificate and an update mechanism to deploy a PowerShell-based payload
that systematically disables security tools. The campaign was first observed in March 2025, with underlying loaders present since late 2024. The adware targets products from Malwarebytes, Kaspersky, McAfee, and ESET, using a script to kill antivirus processes and block reinstallation. The operation's primary update domain was unregistered, allowing potential exploitation by malicious actors.
Why It's Important?
This operation poses a significant threat to cybersecurity, particularly in the U.S., which accounts for 54% of the infections. The ability to disable antivirus software leaves systems vulnerable to further attacks, such as ransomware or data theft. The involvement of high-value networks, including universities, government entities, and healthcare organizations, raises concerns about data security and operational integrity. The incident highlights the risks associated with software supply chains and the importance of robust cybersecurity measures to protect against such threats.
What's Next?
Organizations affected by this adware operation will need to conduct thorough security audits and possibly re-evaluate their cybersecurity strategies. This may include enhancing monitoring systems, updating security protocols, and educating staff on potential threats. Cybersecurity firms and law enforcement agencies might increase efforts to track and mitigate such threats, potentially leading to international cooperation given the global reach of the operation. The incident could also prompt regulatory bodies to consider stricter controls on software distribution and code-signing practices.
