Researchers at Huntress have uncovered a sophisticated threat hidden within what appeared to be adware, revealing that a single unregistered domain available for as little as $10 could have granted malicious actors silent control over more than 25,000 compromised endpoints worldwide.
The software at the center of the investigation is signed by Dragon Boss Solutions, which describes itself as a search monetization research firm based in the United Arab Emirates.
Though long categorized as a potentially unwanted program (PUP) with browser hijacking capabilities, an analysis by Huntress researchers found that the software had quietly evolved into something far more dangerous.
Starting in March 2025, Huntress analysts observed it deploying a PowerShell-based payload that runs with elevated privileges to disable cybersecurity products, block their update servers, and prevent their reinstallation.
The malware achieves persistence through five scheduled tasks and WMI event subscriptions that survive reboots. It also adds Windows Defender exclusions for directories used to stage future payloads, which could include cryptominers, ransomware, or infostealers.
The most alarming discovery was in the software’s update configuration. The primary domain used to deliver payload updates (chromsterabrowser[.]com) was unregistered. Anyone who purchased it could have served arbitrary code to every affected host, with no exploitation required, since antivirus protection was already disabled on those machines.
Huntress registered the domain before anyone else could, pointed it to a sinkhole, and monitored the results. Roughly 25,000 unique IP addresses — representing real endpoints in production environments that were seeking update instructions — reached out.
The infections spanned 124 countries, with the United States accounting for more than 12,000 hosts, followed by France, Canada, the United Kingdom, and Germany, each with roughly 2,000 hosts.
The scale of infection among high-value targets proved particularly concerning. Of the hosts observed, 324 belonged to sensitive networks, including 221 universities and colleges, 41 operational technology (OT) networks, 35 government entities, and three healthcare organizations.
The identified OT networks belonged to electric utilities, transport providers, power cooperatives, and critical infrastructure. Multiple Fortune 500 companies were also identified among the affected networks.
Huntress has urged organizations to hunt for indicators of compromise (IoCs) to detect potential impact from this campaign.
Related: CPUID Hacked to Serve Trojanized CPU-Z and HWMonitor Downloads
Related: Fake Claude Website Distributes PlugX RAT
Related: US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking
