A signed software operation linked to a company called Dragon Boss Solutions LLC has reportedly been silently disabling antivirus products on more than 23,000 endpoints worldwide
According to research published by Huntress on Tuesday, the campaign used a legitimate code-signing certificate and an off-the-shelf update mechanism to deploy a PowerShell-based payload that systematically kills, uninstalls and blocks the reinstallation of security tools.
Huntress researchers first observed the antivirus-killing behavior in late March 2025, though the underlying loaders had been present on some hosts since late 2024. The executables use Advanced Installer to poll remote servers for MSI-based updates.
Once delivered, a script called ClockRemoval.ps1 executes with SYSTEM privileges, targeting products from Malwarebytes, Kaspersky, McAfee and ESET.
How the Attack Chain Works
Before deploying its full capabilities, the payload checks for admin status, detects virtual machines and queries the registry for installed security products.
It then establishes five scheduled tasks and Windows Management Instrumentation (WMI) event subscriptions that maintain persistence across reboots, logons and at 30-minute intervals.
A tight polling loop kills matching AV processes every 100 milliseconds for 20 seconds at boot, terminating security tools before they can initialize. The script also strips registry entries, runs vendor uninstallers silently and modifies the Windows hosts file to redirect AV update domains to 0.0.0.0.
Defender exclusions are added for directories like DGoogle and EMicrosoft that appear to serve as staging areas for follow-on payloads.
Read more on WMI-based malware persistence: DeepLoad Malware Combines ClickFix With AI-Code to Avoid Detection
What elevated the threat was the discovery that a primary update domain in the operation’s configuration was unregistered. Anyone willing to spend a few dollars could have pushed arbitrary payloads to every affected host.
Sinkhole Reveals Global Infection Footprint
Huntress registered the domain first and pointed it to a sinkhole. Within 24 hours, 23,565 unique IP addresses requested instructions. Infections spanned 124 countries, with the US accounting for roughly 54% of connections, followed by France, Canada, the UK and Germany.
The firm identified 324 infections on high-value networks, including:
-
221 universities and colleges
-
41 operational technology networks, including electric utilities
-
35 government entities
-
Three healthcare organizations
According to CrunchBase, Dragon Boss Solutions is based in Sharjah, United Arab Emirates, and describes itself as conducting “search monetization research.” AV vendors have historically categorized their signature as adware with browser-hijacking functionality.
While the immediate payload remains an AV killer, Huntress warned that the update infrastructure could deliver any payload type. With antivirus already neutralized, the operation could pivot to ransomware, cryptomining or data theft without additional exploitation.
