Skip to content
.ca
sign in
6 mincritical

When PUPs Grow Fangs: Dragon Boss Solutions Left an Open Door on 25,000+ Endpoints

A potentially unwanted program (PUP) signed by Dragon Boss Solutions LLC utilizes a silent update mechanism to deploy a sophisticated AV-killing PowerShell payload. The updater's primary domain was left unregistered, creating a severe supply chain vulnerability that exposed over 25,000 endpoints to arbitrary code execution before being sinkholed by researchers.

Sens:ImmediateConf:highAnalyzed:2026-04-16reports

Authors: Huntress Research Team, Lindon Wass, Michael Elford

ActorsDragon Boss Solutions LLCChromnius
PUPWMI PersistenceAV KillerSupply Chain RiskAdware

Source:Huntress

IOCs · 5

Key Takeaways

  • Adware signed by Dragon Boss Solutions LLC deploys an AV-killing payload via a silent update mechanism.
  • The primary update domain was unregistered, exposing 25,000+ endpoints to arbitrary payload execution by anyone who registered it.
  • The payload (ClockRemoval.ps1) establishes WMI and scheduled task persistence to continuously kill AV processes and block reinstallation.
  • The script modifies the Windows hosts file to null-route AV vendor domains and adds Windows Defender exclusions for staging directories.
  • Huntress sinkholed the unregistered domain, observing connections from over 25,000 unique IPs, including critical infrastructure and Fortune 500 networks.

Affected Systems

  • Windows endpoints
  • Antivirus software (Malwarebytes, Kaspersky, McAfee, ESET, Windows Defender)

Attack Chain

A user installs a PUP signed by Dragon Boss Solutions LLC. The PUP uses an Advanced Installer update mechanism to silently fetch a payload (Setup.msi) from a remote C2 server. The MSI executes a PowerShell script (ClockRemoval.ps1) that establishes WMI and scheduled task persistence to continuously terminate AV processes. Finally, the script modifies the hosts file to block AV updates and adds Windows Defender exclusions for future staging directories.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article provides behavioral hunting guidance and IOCs but does not include explicit, ready-to-use detection rules like YARA or Sigma.

Detection Engineering Assessment

EDR Visibility: High — EDRs have strong visibility into WMI event consumer creation, scheduled task creation, PowerShell execution, and hosts file modifications. Network Visibility: Medium — Network monitoring can detect connections to the known C2 domains and the downloading of MSI files disguised as GIFs, but the traffic may be TLS encrypted. Detection Difficulty: Moderate — While the AV-killing behavior is noisy, the initial installation is via a signed, seemingly legitimate PUP, which might be ignored by analysts as low-priority adware.

Required Log Sources

  • Security Event 4688 (Process Creation)
  • Security Event 4698 (Scheduled Task Created)
  • WMI-Activity Operational Logs
  • PowerShell Script Block Logging (Event 4104)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for WMI event subscriptions containing 'MbRemoval' or 'MbSetup' in the consumer name.WMI-Activity logs, EDR WMI telemetryPersistenceLow
Search for scheduled tasks referencing 'WMILoad' directories or 'ClockRemoval'.Windows Security Event 4698, EDR Scheduled Task telemetryPersistenceLow
Identify processes signed by 'Dragon Boss Solutions LLC' executing silently or spawning msiexec.exe.EDR process execution logs, Code signing logsExecutionLow
Monitor for modifications to the Windows hosts file redirecting known AV vendor domains to 0.0.0.0.EDR file modification logsDefense EvasionLow
Detect PowerShell commands adding Windows Defender exclusions for suspicious paths like DGoogle or EMicrosoft.PowerShell Script Block Logging, EDR command line logsDefense EvasionLow

Control Gaps

  • PUPs are often ignored or auto-allowed by security teams
  • Unregistered domains in hardcoded update mechanisms bypass standard threat intel blocks until discovered

Key Behavioral Indicators

  • WMI consumers named MbRemovalMbSetupKillConsumer
  • Scheduled tasks named DisableClockServicesFirst
  • msiexec.exe executing payloads from ProgramData updates folders
  • chrome.exe running with --simulate-outdated-no-au

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Search for and remove WMI event subscriptions containing 'MbRemoval' or 'MbSetup'.
  • Delete scheduled tasks referencing 'ClockRemoval' or 'WMILoad'.
  • Revert unauthorized modifications to the Windows hosts file.
  • Remove suspicious Windows Defender exclusions (e.g., DGoogle, EMicrosoft).

Infrastructure Hardening

  • Block known C2 domains at the firewall/DNS level.
  • Implement strict application control to prevent the execution of unauthorized signed binaries (e.g., Dragon Boss Solutions LLC).

User Protection

  • Ensure AV and EDR agents are actively running and have tamper protection enabled.
  • Audit endpoints for the presence of modified Chrome browsers or unwanted browser extensions.

Security Awareness

  • Educate users on the risks of downloading and installing Potentially Unwanted Programs (PUPs) or 'free' software bundles.

MITRE ATT&CK Mapping

  • T1059.001 - PowerShell
  • T1562.001 - Disable or Modify Tools
  • T1546.003 - Windows Management Instrumentation Event Subscription
  • T1053.005 - Scheduled Task
  • T1562.006 - Indicator Blocking
  • T1112 - Modify Registry
  • T1189 - Drive-by Compromise
  • T1195.002 - Compromise Software Supply Chain

Additional IOCs

  • Domains:
    • worldwidewebframework3[[.]]com - Sinkholed C2 domain
    • worldwidewebframework2[[.]]com - Active C2 domain
    • artificialupdates[[.]]com - Active C2 domain
    • dragonstraffic[[.]]com - Active C2 domain
    • updaterituals[[.]]com - Active C2 domain
    • chromsteraupdates[[.]]com - Active C2 domain
    • isready26[[.]]online - Payload hosting domain
  • Urls:
    • hxxps://worldwidewebframework3[[.]]com/download/updates-10[.]php - Update URL path
    • hxxps://worldwidewebuniverse3[[.]]com/download/updates-10[.]php - Update URL path
  • File Hashes:
    • 40ac30ce1e88c47f317700cc4b5aa0a510f98c89e11c32265971564930418372 (SHA256) - Setup.msi payload
    • 26ddd0712a101b27b018658b4072ad56bb4083026c797b0345b2cce43862fc83 (SHA256) - !_StringData payload containing installer instructions
    • da6aba50f9908f5f29d877dfaaca1ef6e03d597bb7b52bd294b4ec644fe7e6c0 (SHA256) - ClockRemoval-WmiBoot.ps1 script
  • File Paths:
    • C:\Program Files (x86)\RaceCarTwoolutions\RaceCarTwo\ - Example installation directory for the PUP
    • %SystemRoot%\System32\config\systemprofile\AppData\Local\WMILoad\ - Payload location for ClockRemoval.ps1
    • %LOCALAPPDATA%\DGoogle - Suspicious Defender exclusion path
    • %LOCALAPPDATA%\EMicrosoft - Suspicious Defender exclusion path
    • %LOCALAPPDATA%\DDapps - Suspicious Defender exclusion path
    • %ProgramData%\Chromnius - Suspicious Defender exclusion path
    • %ProgramData%\ChromniusEdge - Suspicious Defender exclusion path
  • Command Lines:
    • Purpose: Disable Chrome auto-update mechanism | Tools: chrome.exe | Stage: Defense Evasion | chrome.exe" --simulate-outdated-no-au="01 Jan 2199"
    • Purpose: Create scheduled task for AV removal at startup | Tools: schtasks.exe, powershell.exe | Stage: Persistence | schtasks.exe /create /tn DisableClockServicesFirst /tr
    • Purpose: Set PowerShell execution policy to unrestricted | Tools: powershell.exe | Stage: Execution | Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser -Force
  • Other:
    • MbRemovalMbSetupKillConsumer - WMI Event Consumer Name
    • MbRemovalMbSetupKillConsumerTrace - WMI Event Consumer Name
    • ClockSetupWmiAtBoot - Scheduled Task Name
    • DisableClockServicesFirst - Scheduled Task Name
    • DisableClockAtStartup - Scheduled Task Name
    • RemoveClockAtLogon - Scheduled Task Name
    • RemoveClockPeriodic - Scheduled Task Name
    • Dragon Boss Solutions LLC - Code Signing Certificate Subject Name