A digitally signed adware tool from Dragon Boss Solutions LLC has been deploying antivirus-killing payloads with SYSTEM privileges across thousands of endpoints globally. The campaign, discovered by Huntress on March 22, used the Advanced Installer update mechanism to silently deliver MSI and PowerShell payloads disguised as GIF images. A PowerShell script called ClockRemoval.ps1 persistently disables AV products (Malwarebytes, Kaspersky, McAfee, ESET) by stopping services, deleting files, blocking vendor domains via the hosts file, and preventing reinstallation. Over 23,500 infected hosts in 124 countries were observed in a single day, including 324 in high-value networks such as academic institutions, government agencies, OT networks, and healthcare. Huntress sinkholed the main update domain, preventing further payload delivery. Defenders are advised to check for WMI subscriptions referencing 'MbRemoval', scheduled tasks with 'ClockRemoval', and hosts file entries blocking AV vendor domains.
Sort: