What's Happening?
A signed software operation by Dragon Boss Solutions LLC has been disabling antivirus products on over 23,000 endpoints globally. According to Huntress, the campaign uses a legitimate code-signing certificate and an update mechanism to deploy a PowerShell-based
payload that systematically disables security tools. The operation, first observed in March 2025, targets antivirus products from companies like Malwarebytes, Kaspersky, McAfee, and ESET. The payload checks for admin status, detects virtual machines, and queries the registry for installed security products before establishing persistence through scheduled tasks and WMI event subscriptions. A significant threat was identified when a primary update domain was found unregistered, allowing potential malicious payloads to be pushed to affected hosts. Huntress registered the domain, revealing infections across 124 countries, with the U.S. accounting for 54% of connections.
Why It's Important?
This operation highlights the vulnerabilities in cybersecurity defenses, particularly the ability of malicious actors to disable antivirus software, leaving systems exposed to further attacks such as ransomware or data theft. The widespread nature of the infection, affecting high-value networks including universities, government entities, and healthcare organizations, underscores the potential for significant disruption. The operation's ability to neutralize antivirus software before it can initialize poses a severe risk, as it allows for the deployment of various malicious payloads without additional exploitation. This incident emphasizes the need for robust cybersecurity measures and the importance of monitoring and securing update domains to prevent unauthorized access.
What's Next?
Organizations affected by this operation need to assess their security measures and consider additional layers of protection to prevent similar attacks. Cybersecurity firms and affected entities may need to collaborate to develop strategies to counteract such sophisticated threats. The incident may prompt a review of code-signing certificate issuance and management to prevent misuse. Additionally, there may be increased scrutiny on companies like Dragon Boss Solutions and their operations, potentially leading to regulatory actions or sanctions.
