Virtual Event Today: Cloud & Data Security Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

$10 Domain Could Have Handed Hackers 25k Endpoints, Including in OT and Gov Networks

Researchers found adware capable of killing cybersecurity products and pushing more dangerous payloads to infected systems.

Global cyberattack

Researchers at Huntress have uncovered a sophisticated threat hidden within what appeared to be adware, revealing that a single unregistered domain available for as little as $10 could have granted malicious actors silent control over more than 25,000 compromised endpoints worldwide.

The software at the center of the investigation is signed by Dragon Boss Solutions, which describes itself as a search monetization research firm based in the United Arab Emirates. 

Though long categorized as a potentially unwanted program (PUP) with browser hijacking capabilities, an analysis by Huntress researchers found that the software had quietly evolved into something far more dangerous.

Starting in March 2025, Huntress analysts observed it deploying a PowerShell-based payload that runs with elevated privileges to disable cybersecurity products, block their update servers, and prevent their reinstallation.

The malware achieves persistence through five scheduled tasks and WMI event subscriptions that survive reboots. It also adds Windows Defender exclusions for directories used to stage future payloads, which could include cryptominers, ransomware, or infostealers.

The most alarming discovery was in the software’s update configuration. The primary domain used to deliver payload updates (chromsterabrowser[.]com) was unregistered. Anyone who purchased it could have served arbitrary code to every affected host, with no exploitation required, since antivirus protection was already disabled on those machines.

Advertisement. Scroll to continue reading.

Huntress registered the domain before anyone else could, pointed it to a sinkhole, and monitored the results. Roughly 25,000 unique IP addresses — representing real endpoints in production environments that were seeking update instructions — reached out. 

The infections spanned 124 countries, with the United States accounting for more than 12,000 hosts, followed by France, Canada, the United Kingdom, and Germany, each with roughly 2,000 hosts.

The scale of infection among high-value targets proved particularly concerning. Of the hosts observed, 324 belonged to sensitive networks, including 221 universities and colleges, 41 operational technology (OT) networks, 35 government entities, and three healthcare organizations. 

The identified OT networks belonged to electric utilities, transport providers, power cooperatives, and critical infrastructure. Multiple Fortune 500 companies were also identified among the affected networks.

Huntress has urged organizations to hunt for indicators of compromise (IoCs) to detect potential impact from this campaign.

Related: CPUID Hacked to Serve Trojanized CPU-Z and HWMonitor Downloads

Related: Fake Claude Website Distributes PlugX RAT

Related: US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Jazz has named Sean Robinson, Rickie Goyal, Danielle Guetta, Shani Nago, and Lior Magram as VPs and Michael Calev as COO.

AJ Shipley has been appointed Chief Product Officer at CrowdStrike.

Brinqa has named Ron Dovich as Chief AI and Automation Officer, David Allen as CTO, Steve Biagioni as CFO, and James Walta as VP of Product.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.