“Over 25,000 Endpoints Compromised in Dragon Boss Solutions Domain Supply Chain Attack”

What commenced as a standard adware notification swiftly escalated into something significantly more severe.

On the morning of March 22, 2026, security notifications began to trigger within numerous managed environments, all associated with software endorsed by a firm named Dragon Boss Solutions LLC.

The executables appeared innocuous at first, yet they were subtly utilizing an integrated update system to execute a multi-phase assault intended to disable antivirus programs and render systems utterly exposed.

Dragon Boss Solutions LLC markets itself as a business focusing on “search monetization research.” However, its authorized software harbored a much more sinister motive.

Operating with full SYSTEM permissions, these executables discreetly retrieved and installed payloads capable of turning off security products across compromised systems.

The behavior targeting antivirus software was initially noticed in late March 2025, although the fundamental loaders and updaters had been present on victimized systems since late 2024.

The operation employed Advanced Installer, a legitimate off-the-shelf update utility, to execute MSI and PowerShell-based payloads while masking itself with a facade of apparent authenticity.

Researchers from Huntress, James Northey and Ryan Dowd, identified the danger after WMI persistence indicators started activating in various managed environments.

Upon tracing the activity, they pinpointed a signed executable named RaceCarTwo.exe as the source of the entire infection chain.

The assault subsequently executed Setup.msi, which in turn ran a PowerShell script named ClockRemoval.ps1 — a formidable AV terminator that not only halted security operations but also actively impeded any efforts to reinstall them.

What rendered the scenario particularly alarming was a significant vulnerability embedded within the update configuration.

The primary update domain, chromsterabrowser[.]com, was entirely unregistered, indicating that anyone prepared to invest approximately $10 to register it could instantly acquire the capability to dispatch any payload to all infected endpoints utilizing that software variant.

Huntress registered the domain first, redirected it to a sinkhole, and in mere hours, tens of thousands of compromised systems initiated contact seeking instructions — whether for ransomware, an infostealing tool, or something entirely different.

Over a monitoring span of 24 hours, 23,565 distinct IP addresses connected to the sinkhole, validating the true magnitude of live infections globally.

The geographical distribution of the campaign was substantial. The United States experienced the highest infection rate with 12,697 hosts (53.9%), followed by France with 2,803 (11.9%), Canada with 2,380 (10.1%), the United Kingdom with 2,223 (9.4%), and Germany with 2,045 (8.7%).

Of all the infections, 324 were traced back to high-value networks, encompassing 221 universities and colleges, 41 operational technology frameworks linked to electric utilities and essential infrastructure, 35 government entities, 24 elementary and secondary schools, and 3 healthcare institutions. Numerous Fortune 500 company networks were also amongst those affected.