Signed Adware Operation Disables Antivirus Across 23,000 Hosts

The Dragon Boss campaign illustrates how threat actors can weaponize legitimate code‑signing certificates to bypass traditional security controls. By leveraging an off‑the‑shelf update framework built with Advanced Installer, the attackers deliver a PowerShell script—ClockRemoval.ps1—that runs with SYSTEM rights and systematically terminates processes belonging to Malwarebytes, Kaspersky, McAfee and ESET. The script not only kills the antivirus binaries but also invokes vendor uninstallers, strips registry entries and rewrites the hosts file to block update traffic. Such a multi‑vector approach makes detection difficult, especially when the payload masquerades as a signed update.

The scale of the operation is evident from the sinkhole data: over 23,500 unique IPs from 124 nations contacted the malicious update server within a single day, with the United States contributing more than half of the requests. Infections span 221 academic institutions, 41 operational‑technology networks—including electric utilities—35 government bodies and several healthcare providers. With the primary defense layer disabled, these high‑value environments become prime targets for follow‑on ransomware, cryptomining or data‑exfiltration campaigns, dramatically raising the potential impact of a single compromise.

For the broader security ecosystem, this incident underscores the fragility of trust placed in code‑signing certificates and the need for layered verification. Organizations should augment endpoint protection with behavior‑based monitoring, enforce strict application whitelisting, and regularly audit scheduled tasks and WMI subscriptions for anomalous activity. Threat‑intel sharing platforms can accelerate detection of similar update‑server abuse, while certificate authorities may need to tighten issuance policies for software that performs system‑level changes. Proactive hardening now can prevent the next stage of the Dragon Boss operation from turning a silent AV kill into a full‑blown ransomware outbreak.