{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/adware/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["adware","antivirus-evasion","malware","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA digitally signed adware tool distributed by Dragon Boss Solutions LLC has been observed deploying payloads designed to disable antivirus protections. The campaign, discovered by Huntress on March 22, 2026, leverages signed executables initially classified as potentially unwanted programs (PUPs) to gain a foothold on victim machines. These PUPs, often disguised as browser tools like Chromstera Browser, Chromnius, WorldWideWeb, Web Genius, and Artificius Browser, use an advanced update mechanism to deliver malicious payloads. This update mechanism, powered by the commercial Advanced Installer, silently deploys MSI and PowerShell scripts with elevated SYSTEM privileges. This allows the threat actors to disable or remove antivirus software without user interaction. The campaign has impacted over 23,500 hosts across 124 countries, including high-value networks in the educational, utilities, government, and healthcare sectors.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial infection occurs via the installation of signed adware tools (PUPs) from Dragon Boss Solutions LLC, such as Chromnius or WorldWideWeb.\u003c/li\u003e\n\u003cli\u003eThe adware uses the Advanced Installer update mechanism to silently download and execute an MSI payload (Setup.msi) disguised as a GIF image.\u003c/li\u003e\n\u003cli\u003eThe MSI payload is executed with SYSTEM privileges, allowing it to bypass user account control (UAC) restrictions.\u003c/li\u003e\n\u003cli\u003eThe MSI installer performs reconnaissance, checking admin status, detecting virtual machines, verifying internet connectivity, and identifying installed antivirus products from Malwarebytes, Kaspersky, McAfee, and ESET.\u003c/li\u003e\n\u003cli\u003eA PowerShell script (ClockRemoval.ps1) is deployed to disable the detected security products by stopping services, killing processes, deleting installation directories and registry entries, silently running vendors\u0026rsquo; uninstallers, and forcefully deleting files.\u003c/li\u003e\n\u003cli\u003eThe ClockRemoval.ps1 script is scheduled to run at system boot, logon, and every 30 minutes to ensure persistent removal of antivirus products.\u003c/li\u003e\n\u003cli\u003eThe hosts file is modified to block access to antivirus vendor domains, preventing reinstallation or updates of the security software.\u003c/li\u003e\n\u003cli\u003eWith antivirus protections disabled, the compromised system becomes vulnerable to further exploitation and malware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis campaign has impacted over 23,500 hosts across 124 countries. Identified infected hosts include 221 academic institutions, 41 operational technology networks, 35 municipal governments and public utilities, 24 primary and secondary educational institutions, and 3 healthcare organizations. The disabling of antivirus software leaves systems vulnerable to further malware infections, data breaches, and other malicious activities. The potential exists for threat actors to leverage this established infrastructure to deploy far more dangerous payloads.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule detecting the ClockRemoval.ps1 script execution to your SIEM to identify affected systems.\u003c/li\u003e\n\u003cli\u003eMonitor for WMI event subscriptions containing \u0026ldquo;MbRemoval\u0026rdquo; or \u0026ldquo;MbSetup,\u0026rdquo; scheduled tasks referencing \u0026ldquo;WMILoad\u0026rdquo; or \u0026ldquo;ClockRemoval,\u0026rdquo; and processes signed by Dragon Boss Solutions LLC, as recommended by Huntress.\u003c/li\u003e\n\u003cli\u003eReview the hosts file for entries blocking AV vendor domains and check Microsoft Defender exclusions for suspicious paths such as \u0026ldquo;DGoogle,\u0026rdquo; \u0026ldquo;EMicrosoft,\u0026rdquo; or \u0026ldquo;DDapps.\u0026rdquo;\u003c/li\u003e\n\u003cli\u003eBlock the C2 domains chromsterabrowser[.]com and worldwidewebframework3[.]com at the DNS resolver.\u003c/li\u003e\n\u003cli\u003eInvestigate systems that have downloaded the Setup.msi payload, identified by its hash.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T12:00:00Z","date_published":"2026-04-16T12:00:00Z","id":"/briefs/2026-04-dragon-boss-adware/","summary":"Digitally signed adware from Dragon Boss Solutions LLC deploys payloads with SYSTEM privileges to disable antivirus protections on thousands of endpoints across education, utilities, government, and healthcare sectors.","title":"Dragon Boss Solutions Adware Disabling Antivirus Protections","url":"https://feed.craftedsignal.io/briefs/2026-04-dragon-boss-adware/"}],"language":"en","title":"CraftedSignal Threat Feed — Adware","version":"https://jsonfeed.org/version/1.1"}