What's Happening?
A software operation linked to Dragon Boss Solutions LLC has been identified as disabling antivirus products on over 23,000 endpoints globally. According to Huntress, the campaign uses a legitimate code-signing certificate and an update mechanism to deploy
a PowerShell-based payload that systematically disables security tools. The operation, first observed in March 2025, targets antivirus products from companies like Malwarebytes, Kaspersky, McAfee, and ESET. The payload checks for admin status, detects virtual machines, and queries the registry for installed security products before establishing persistence through scheduled tasks and WMI event subscriptions. The operation's infrastructure could potentially deliver any payload type, posing a significant threat to affected systems.
Why It's Important?
This operation highlights a significant vulnerability in cybersecurity defenses, as it effectively neutralizes antivirus protections, leaving systems open to further attacks such as ransomware or data theft. The widespread nature of the infection, affecting high-value networks including universities, government entities, and healthcare organizations, underscores the potential for severe disruptions. The ability to disable antivirus software could lead to increased cybercrime activities, impacting data security and privacy. Organizations must reassess their security strategies to mitigate such threats and protect sensitive information.
What's Next?
Organizations affected by this operation need to take immediate steps to secure their systems, including updating security protocols and monitoring for unusual activities. Cybersecurity firms and antivirus vendors may need to develop new strategies to counteract such sophisticated attacks. Regulatory bodies might also consider implementing stricter guidelines for software certification to prevent misuse. The cybersecurity community will likely focus on enhancing detection and response capabilities to prevent similar incidents in the future.
