A digitally signed adware tool distributed by Dragon Boss Solutions LLC uses an Advanced Installer update mechanism to silently deploy MSI and PowerShell payloads that run with SYSTEM privileges and disable antivirus protections on thousands of endpoints across education, utilities, government, and healthcare sectors. Huntress researchers sinkholed the unregistered update domain after observing over 23,500 infected hosts in 124 countries and warn the existing infrastructure and AV-killing mechanism could be leveraged to push far more dangerous payloads. #DragonBossSolutions #ClockRemoval
Keypoints
- Digitally signed PUPs from Dragon Boss Solutions install payloads that run as SYSTEM.
- The campaign leverages Advanced Installer updates to silently deliver MSI and PowerShell components.
- ClockRemoval.ps1 repeatedly disables antivirus by stopping services, killing processes, deleting files, and blocking vendor domains.
- Researchers observed more than 23,500 infected hosts in 124 countries, including hundreds in high-value networks.
- An unregistered main update domain allowed researchers to sinkhole connections and highlights the risk of arbitrary payload push.