More than 25,000 systems were left exposed after Huntress researchers discovered that adware distributed by Dragon Boss Solutions used an insecure software update channel that could have been hijacked for as little as $10.

What looked like just another adware app quietly left 25,000+ systems exposed through a software update channel no one secured.
The real risk is what could have come next — researchers say that same update path could have delivered far more dangerous malware.
It all traces back to a cheap, unclaimed domain that could have been picked up by anyone for about 10 bucks.

Key Takeaways by nexos.ai, reviewed by Cybernews staff.

Huntress describes Dragon Boss Solutions – address listed in the United Arab Emirates (UAE) – as an “aggressive adware program” designed to redirect traffic and support search monetization for browser extensions and software.

The fake search engine-turned-browser hijacker is often spread through deceptive ads or bundled software, tricking users into installing it on their devices without even realizing it.

Dragon Boss Solutions adware — Image by Huntress

The Huntress blog, published on Tuesday, says the issue stemmed from an unregistered domain tied to the app’s update infrastructure – a domain that anyone could have purchased for about $10 and then used to push malicious updates to those infected devices.

What’s more, the adware, already flagged as a potentially unwanted program (PUP), is digitally signed, giving it an air of legitimacy that helps it bypass security controls and makes any malicious activity it triggers harder to detect.

Unsecured update path enables full takeover

Huntress said it first discovered the flaw on March 22nd after noticing the so-called “standard” adware started triggering alerts across multiple environments it manages.

Using the update mechanism as cover for a multi-stage attack chain, researchers say they observed the signed software “silently fetching and executing payloads capable of killing antivirus products, all while running with SYSTEM privileges.”

Dragon Boss adware attack chain — Diagram showing multi-stage attack path. Image by Huntress

Not only did researchers witness the update mechanism establishing Windows Management Instrumentation (WMI) persistence, but they also saw the software’s deployed Windows Installer packages and PowerShell payloaders “disabling security applications, and blocking the reinstallation of protective software.”

The combination of trusted software and an exposed update path created what Huntress describes as a high-risk scenario – one that could have let attackers deploy everything from information stealers to ransomware across thousands of already compromised endpoints.

Huntress sinkholes domain, sees widespread check-ins

This is where the unregistered domain comes into play.

In simplest terms, the built-in update mechanism relies on a domain the adware treats as a control center to check for instructions.

Dragon Boss AV Kill List — Image by Huntress

The domain tells the update mechanism when there is an update, what to download, and what to execute – meaning whoever controlled that domain could control what the program downloaded and executed.

Huntress said it defensively “registered and sinkholed” two exposed domains – chromsterabrowser[.]com (the main offender) and worldwidewebframework3[.]com – “baked into” the adware’s infrastructure, preventing anyone else from taking control of systems still checking in for updates or instructions.

That’s when Huntress began noticing the domains receiving connections from more than 25,000 systems, revealing a full scale exposure.

Researchers said the large spike in traffic indicated that the vulnerable update mechanism was actively in use across a large number of machines.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

Supply-chain style risk highlights ongoing threat

Over the 24-hour monitoring period, Huntress said its sinkhole infrastructure captured 23,565 unique IP addresses still attempting to communicate with the malicious infrastructure.

The infected hosts were detected across 124 countries, with most found in the folliowing nations:

United States - 12,697 hosts (53.9%)
France - 2,803 hosts (11.9%)
Canada - 2,380 hosts (10.1%)
United Kingdom - 2,223 hosts (9.4%)
Germany - 2,045 hosts (8.7%)

Dragon Boss adware infected IP heatmap — Image by Huntress

Huntress also identified 324 infections within high-value target networks, including in the networks of multiple Fortune 500 companies, as well as:

245 Educational institutions across North America, Europe, and Asia
41 Operational Technology networks - Electric utilities, power cooperatives, transport networks, and critical infrastructure providers
35 Government entities - Municipal governments, state agencies, and public utilities

3 Healthcare organizations - Hospital systems and healthcare providers

While Huntress said there was no evidence to suggest the update channel was actively hijacked before uncovering the threat, researchers say the scenario represents a classic supply-chain attack path, in which trusted software becomes the delivery mechanism for malicious code.

The researchers warn that even low-cost infrastructure oversights – such as failing to maintain ownership of a domain – can create high-impact security risks when linked to widely distributed software.

The blog lays out the research in detail, including the payload, indicators of compromise (IOCs), and network detection tactics for defenders.