In a startling cybersecurity revelation, Huntress researchers have identified a sophisticated threat embedded in what was initially believed to be adware. An unregistered domain, purchasable for just $10, posed the risk of granting cybercriminals covert access to over 25,000 compromised endpoints globally.
Malware Evolution and Threat Analysis
The software scrutinized in this investigation is signed by Dragon Boss Solutions, a firm claiming to specialize in search monetization and based in the United Arab Emirates. Initially labeled as a potentially unwanted program (PUP) due to its browser hijacking capabilities, the software underwent a dangerous transformation according to Huntress researchers.
Beginning in March 2025, analyses showed the software deploying a PowerShell-based payload. This payload, operating with elevated privileges, was designed to disable cybersecurity defenses, block update servers, and prevent the reinstallation of security software.
Persistence and Exploitation Mechanisms
The malware’s persistence was achieved via five scheduled tasks and WMI event subscriptions, ensuring its survival through system reboots. It also manipulated Windows Defender settings to exclude directories used for staging future threats, which could include cryptominers, ransomware, or data-stealing malware.
A critical vulnerability was uncovered in the software’s update configuration. The main domain for delivering payload updates (chromsterabrowser[.]com) was unregistered, creating a potential vector for exploitation. Any individual acquiring this domain could distribute malicious code to affected systems, bypassing antivirus defenses entirely.
Global Impact and Security Measures
Huntress quickly registered the vulnerable domain and redirected it to a sinkhole for monitoring. This action revealed approximately 25,000 unique IP addresses, representing real-world endpoints, reaching out for update instructions across 124 countries. The United States alone accounted for over 12,000 of these hosts.
The infections included high-value targets, with 324 endpoints belonging to sensitive networks. This group included 221 educational institutions, 41 operational technology (OT) networks, 35 government bodies, and three healthcare organizations. The affected OT networks spanned electric utilities, transportation providers, and critical infrastructure, with several Fortune 500 companies also impacted.
In response, Huntress has called on organizations to search for indicators of compromise (IoCs) to ascertain the campaign’s impact. This proactive measure is crucial for mitigating potential damages and securing networks against similar threats in the future.
