The discovery of a significant security breach involving Dragon Boss Solutions has revealed a widespread cyber threat, compromising over 25,000 endpoints worldwide. This alarming incident, first detected on March 22, 2026, underscores the growing sophistication of supply chain attacks targeting software update mechanisms.
Initial Discovery and Attack Mechanism
The breach, initially perceived as a routine adware alert, quickly escalated in severity across multiple managed environments. The source of the threat was traced to software signed by Dragon Boss Solutions LLC, a company ostensibly involved in search monetization research. However, its software harbored malicious capabilities. Utilizing update mechanisms, the software executed a multi-stage attack that incapacitated antivirus defenses, leaving systems unprotected.
These executables, operating with full SYSTEM privileges, deployed payloads that effectively disabled security products on infected machines. Notably, the antivirus-neutralizing activity was first observed in March 2025, although the loaders had been present since late 2024.
Attack Vector and Geographic Impact
The attackers exploited Advanced Installer, a legitimate updating tool, to deliver malicious MSI and PowerShell payloads, creating a facade of legitimacy. The infection chain was traced back to a signed executable named RaceCarTwo.exe, which deployed Setup.msi and a powerful PowerShell script called ClockRemoval.ps1. This script not only neutralized security processes but also prevented their reinstallation.
A critical flaw in the update configuration compounded the threat. The primary update domain, chromsterabrowser[.]com, was unregistered, allowing anyone to control the update process by registering the domain. Huntress researchers preemptively registered it, redirecting traffic to a sinkhole, revealing over 23,565 unique IP connections in just 24 hours.
Scope of Infections and Response
The campaign affected systems globally, with the U.S. accounting for 53.9% of infections, followed by France, Canada, the UK, and Germany. High-value networks, including universities, government entities, and Fortune 500 companies, were also compromised. The ClockRemoval.ps1 script’s destructive capability was central to the attack, systematically disabling antivirus software and modifying system configurations to prevent reinstatement.
Security teams are advised to monitor for WMI event subscriptions with names like “MbRemoval” or “MbSetup,” inspect scheduled tasks linked to suspicious directories, and scrutinize any processes signed by Dragon Boss Solutions LLC. Additionally, checking hosts files for blocked antivirus domains and Windows Defender exclusions for irregular entries is crucial.
This incident highlights the need for vigilant monitoring of software updates and robust security measures to defend against sophisticated cyber threats. As the cyber landscape evolves, organizations must remain proactive to safeguard their systems from similar vulnerabilities.
