A benign looking update Dragon Boss pushed out in March 2025 established persistence via scheduled tasks and arranged for future payloads to be excluded from Windows Defender.
An instant software update turned an adware program into an antivirus (AV) destroyer, priming nearly 24,000 computer systems on five continents for follow-on cyberattacks.
People tend to view adware, and other forms of potentially unwanted programs (PUPs), as little more than a lowly annoyance. It doesn't help that PUPs is such a cute acronym, and that the name "potentially unwanted programs" is an unnecessarily polite misnomer for what these programs actually are: malware, masquerading as legal software.
One threat actor, disguised as a corporation, did its best last year to show the world what these niggling programs are truly capable of. After infecting a couple tens of thousands of mildly annoyed individuals and organizations worldwide, it pushed a malicious update that turned its adware into straight-up malware. Thankfully, with $10 and a little bit of gumption, researchers at Huntress identified and sinkholed the malware's primary update domain, mitigating further damage.
Dragon Boss PUPs use a ubiquitous but surprisingly little-known program called "Advanced Installer" to organize all their files and such into a smooth installation process. One of Advanced Installer's most helpful features is its update tool, which automatically, periodically checks for new updates to Advanced Installer-packaged programs. In the early morning hours of March 22, 2025, Dragon Boss pushed an update to all its instances worldwide.
The payload concealed in that update was designed to disable security tools that recognize and flag Dragon Boss adware, including AVs from ESET, McAfee, Kaspersky, and Malwarebytes. For good measure, it also established persistence via scheduled tasks, arranged for any future payloads to be excluded from Windows Defender, and more. Huntress researchers speculated this payload may have been written with help from an artificial intelligence (AI) tool, as all of its malicious actions are neatly described in inline code comments.
By disabling AV solutions and establishing persistence, the adware could more effectively go about its business without interruption. Out of context, though, it looked just like a threat actor backdooring thousands of systems worldwide, setting the stage for follow-on cyberattacks. With another update, Dragon Boss could have easily uploaded ransomware, a botnet, or any other sort of malicious payload to infected systems.
Even if the threat actor lacked the intent to do so, any other threat actor could have. Each instance of Dragon Boss adware had a primary URL from which it pulled updates, and a backup. When researchers looked into it, they found that the implants were receiving updates from a secondary domain, while their primary was left inexplicably unregistered. That meant that anyone who knew where to look could identify from whence all these implants were receiving instructions, register that domain for pocket change, and instantly push their own malware to a free set of victims.
The Huntress researchers did so first, sinkholing the campaign. In doing so, they discovered that Dragon Boss's adware had spread to more than 23,500 computers in 124 countries, although half were based in the US, and most of the others in similarly wealthy Western countries. Though only a small percentage of the total, a number of high-value organizations were among the lot, including 35 government entities, 41 operational technology (OT) networks, 221 higher education institutions, and some Fortune 500 companies.
Ryan Dowd, principal security operations center analyst for Huntress, notes that "most instances had been present on the device dating back to as early as 2022, and accompanied by other PUPs, suggesting that it may have been bundled adware," but there isn't any proof one way or the other.
Besides the Dragon Boss approach, "There's a long and storied history of adware secretly delivering malware and ransomware through the ads," says ad fraud crusader Dr. Augustine Fou, creator of FouAnalytics. "This technique is particularly effective for perps and particularly hard to detect for researchers."
"For example, by geofencing a particular hospital, threat actors can surgically deliver ads laced with ransomware code to doctors surfing normal Web pages during their lunch break from an office computer at the hospital," he explains. "Often the malicious ads use the ad creative from reputable advertisers, like McDonald's, to look harmless; but the advertisers have no idea this is happening."
If your organization has been hit hard by cyberattacks before, or if you'd just like to be extra careful, his advice is simple: "Block all ads from all computers on your network."
Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Fredrick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven't) been, and what the future holds for AI security products. Listen now!
An instant software update turned an adware program into an antivirus (AV) destroyer, priming nearly 24,000 computer systems on five continents for follow-on cyberattacks.
People tend to view adware, and other forms of potentially unwanted programs (PUPs), as little more than a lowly annoyance. It doesn't help that PUPs is such a cute acronym, and that the name "potentially unwanted programs" is an unnecessarily polite misnomer for what these programs actually are: malware, masquerading as legal software.
One threat actor, disguised as a corporation, did its best last year to show the world what these niggling programs are truly capable of. After infecting a couple tens of thousands of mildly annoyed individuals and organizations worldwide, it pushed a malicious update that turned its adware into straight-up malware. Thankfully, with $10 and a little bit of gumption, researchers at Huntress identified and sinkholed the malware's primary update domain, mitigating further damage.
Adware Campaign Turns Dangerous
The threat actor behind this campaign, Dragon Boss Solutions LLC, claims to be a registered company based in the United Arab Emirates (UAE). Its Crunchbase profile states that it "engages in research to find the best Search Monetization Solutions for Browser Extensions, Software and Desktop Applications," which is a fancy way of saying that it runs adware in browsers and apps. Its adware is typically flagged by antivirus (AV) programs, and about a year ago, its proprietors decided to do something to fix that.Dragon Boss PUPs use a ubiquitous but surprisingly little-known program called "Advanced Installer" to organize all their files and such into a smooth installation process. One of Advanced Installer's most helpful features is its update tool, which automatically, periodically checks for new updates to Advanced Installer-packaged programs. In the early morning hours of March 22, 2025, Dragon Boss pushed an update to all its instances worldwide.
The payload concealed in that update was designed to disable security tools that recognize and flag Dragon Boss adware, including AVs from ESET, McAfee, Kaspersky, and Malwarebytes. For good measure, it also established persistence via scheduled tasks, arranged for any future payloads to be excluded from Windows Defender, and more. Huntress researchers speculated this payload may have been written with help from an artificial intelligence (AI) tool, as all of its malicious actions are neatly described in inline code comments.
By disabling AV solutions and establishing persistence, the adware could more effectively go about its business without interruption. Out of context, though, it looked just like a threat actor backdooring thousands of systems worldwide, setting the stage for follow-on cyberattacks. With another update, Dragon Boss could have easily uploaded ransomware, a botnet, or any other sort of malicious payload to infected systems.
Even if the threat actor lacked the intent to do so, any other threat actor could have. Each instance of Dragon Boss adware had a primary URL from which it pulled updates, and a backup. When researchers looked into it, they found that the implants were receiving updates from a secondary domain, while their primary was left inexplicably unregistered. That meant that anyone who knew where to look could identify from whence all these implants were receiving instructions, register that domain for pocket change, and instantly push their own malware to a free set of victims.
The Huntress researchers did so first, sinkholing the campaign. In doing so, they discovered that Dragon Boss's adware had spread to more than 23,500 computers in 124 countries, although half were based in the US, and most of the others in similarly wealthy Western countries. Though only a small percentage of the total, a number of high-value organizations were among the lot, including 35 government entities, 41 operational technology (OT) networks, 221 higher education institutions, and some Fortune 500 companies.
Ryan Dowd, principal security operations center analyst for Huntress, notes that "most instances had been present on the device dating back to as early as 2022, and accompanied by other PUPs, suggesting that it may have been bundled adware," but there isn't any proof one way or the other.
The Thin Line Between Adware and Malware
"The distinction between a PUP and traditional malware often relies on a thin line of user consent and technical intent, rather than the capabilities of the code itself," Dowd says. "In most cases, these types of programs fly under the radar of endpoint detection and response (EDR) as they want to persist and survive, in order to generate their revenue," but that's not always the case. Adware, in particular, has long blurred the line between grey and black hat behavior.Besides the Dragon Boss approach, "There's a long and storied history of adware secretly delivering malware and ransomware through the ads," says ad fraud crusader Dr. Augustine Fou, creator of FouAnalytics. "This technique is particularly effective for perps and particularly hard to detect for researchers."
"For example, by geofencing a particular hospital, threat actors can surgically deliver ads laced with ransomware code to doctors surfing normal Web pages during their lunch break from an office computer at the hospital," he explains. "Often the malicious ads use the ad creative from reputable advertisers, like McDonald's, to look harmless; but the advertisers have no idea this is happening."
If your organization has been hit hard by cyberattacks before, or if you'd just like to be extra careful, his advice is simple: "Block all ads from all computers on your network."
Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Fredrick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven't) been, and what the future holds for AI security products. Listen now!