What started as a routine adware alert quickly turned into something far more serious.
On the morning of March 22, 2026, security alerts began firing across multiple managed environments, all linked to software signed by a company called Dragon Boss Solutions LLC.
The executables looked harmless at first glance, but they were quietly using a built-in update mechanism to carry out a multi-stage attack designed to kill antivirus tools and leave systems completely unprotected.
Dragon Boss Solutions LLC presents itself as a company engaged in “search monetization research.” Its signed software, however, had a much darker purpose.
Running with full SYSTEM privileges, these executables silently fetched and deployed payloads capable of disabling security products across infected machines.
The antivirus-killing behavior was first observed in late March 2025, though the underlying loaders and updaters had been present on victim systems since late 2024.
The operation used Advanced Installer, a legitimate off-the-shelf update tool, to deliver MSI and PowerShell-based payloads while hiding behind a layer of apparent legitimacy.
Huntress researchers James Northey and Ryan Dowd identified the threat after WMI persistence signals began triggering across managed environments.
Tracing the activity back, they discovered a signed executable named RaceCarTwo.exe as the origin of the entire infection chain.
From there, the attack deployed Setup.msi, which in turn executed a PowerShell script called ClockRemoval.ps1 — a powerful AV killer that not only shut down security processes but actively blocked any attempt to reinstall them.
What made the situation especially alarming was a critical flaw baked right into the update configuration.
The primary update domain, chromsterabrowser[.]com, was completely unregistered, meaning anyone willing to spend roughly $10 to register it would instantly gain the ability to push any payload to every infected endpoint running that software variant.
Huntress registered the domain first, pointed it to a sinkhole, and within hours, tens of thousands of infected systems began reaching out looking for instructions — ransomware, an infostealer, or anything else entirely.
Over a 24-hour monitoring window, 23,565 unique IP addresses connected to the sinkhole, confirming the true scale of live infections worldwide.
The geographic spread of the campaign was significant. The United States had the highest infection count with 12,697 hosts (53.9%), followed by France at 2,803 (11.9%), Canada at 2,380 (10.1%), the United Kingdom at 2,223 (9.4%), and Germany at 2,045 (8.7%).
.webp)
Among all infections, 324 were traced to high-value networks, including 221 universities and colleges, 41 operational technology networks tied to electric utilities and critical infrastructure, 35 government entities, 24 primary and secondary schools, and 3 healthcare organizations. Multiple Fortune 500 company networks were also among those affected.
Inside the AV-Killing Payload
The ClockRemoval.ps1 script was the core of the attack’s destructive capability. Once deployed through the MSI update package, it ran a thorough sweep of the infected system — killing antivirus processes, stripping their services through registry manipulation, and creating five scheduled tasks running as SYSTEM.
.webp)
These tasks — ClockSetupWmiAtBoot, DisableClockServicesFirst, DisableClockAtStartup, RemoveClockAtLogon, and RemoveClockPeriodic — ensured that security tools were removed on every boot, startup, and every 30 minutes.
.webp)
The script also modified the Windows hosts file to redirect AV vendor update domains, including those for Malwarebytes and Kaspersky, to 0.0.0.0, cutting off all reinstallation routes.
It added Windows Defender exclusions for paths like DGoogle, EMicrosoft, and DDapps — believed to be staging directories for future payloads.
Dragon Boss Solutions-signed Chrome binaries were also observed running with the flag --simulate-outdated-no-au="01 Jan 2199", permanently disabling Chrome’s auto-update feature.
Security teams should hunt for WMI event subscriptions containing “MbRemoval” or “MbSetup” in the consumer name, monitor scheduled tasks pointing to WMILoad directories or ClockRemoval scripts, flag any processes signed by Dragon Boss Solutions LLC, inspect the hosts file for blocked AV vendor domains, and check Windows Defender exclusion paths for suspicious entries such as DGoogle, EMicrosoft, or DDapps.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
