- Huntress Sinkhole Adware by Dragon Boss Solutions LLC
- Antivirus disabled by malware, open and exploitable update domains for $10
- Tens of thousands of compromised endpoints, including universities, OT networks, governments and Fortune 500 companies
Huntress security researchers recently came across adware that by all accounts should have been an annoying and run-of-the-mill ad-displaying nuisance. However, what they discovered beneath the surface raised a few eyebrows and warranted further investigation.
In late March 2026, Huntress was alerted to software signed by a company called Dragon Boss Solutions LLC. This company, which purportedly worked on “search monetization” (but only showed unwanted ads and redirects to users), had an advanced update mechanism that disabled antivirus programs and prevented them from restarting.
By analyzing how the malware worked, researchers discovered that the threat actors were not registering the primary or backup update domain, which presented both a major risk and a huge opportunity to do good.
Article continues below
Break ties
“More worryingly, it turned out that there was an open door right in his update setup, one that anyone with $10 could have walked straight through,” Huntress said. In other words, someone could have registered these domains and thus taken control of a large network of infected computers.
Instead, it was Huntress who purchased the domains, blocking all infected hosts from connecting.
“Within hours,” they saw “tens of thousands of compromised terminals searching for instructions that, in the wrong hands, could have been anything.”
By analyzing inbound IP addresses, Huntress researchers discovered 324 infected devices at high-value locations, including 221 academic institutions, 41 operational technology networks in the energy and transportation sectors, 35 municipal governments, state agencies and utilities, 24 K-12 educational institutions, and 3 healthcare organizations. Additionally, the networks of several Fortune 500 companies were also compromised.
To stay safe, researchers recommend system administrators look for WMI event subscriptions containing “MbRemoval” or “MbSetup,” scheduled tasks referencing “WMILoad” or “ClockRemoval,” and processes signed by Dragon Boss Solutions LLC.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
