The campaign that turned a PUP into a back door capable of disabling defenses

Security researchers have uncovered a worrying campaign in which a set of programs listed in principle as potentially unwanted software (PUP) not only showed ads: it hid an update chain capable of introducing payloads that run with SYSTEM privileges and left equipment without antivirus protection. According to the teams that analysed the case, on one day more than 23,500 teams in 124 countries tried to contact the operator's infrastructure, including hundreds located in high-value networks such as universities, public service providers, administrations and health centres.

What started as adware ended up behaving like a defense deactivator. The samples analyzed were digitally signed by an entity that operated under the name Dragon Boss Solutions LLC and promoted alleged "browsers" (names such as Chromstera, Chromnius, WorldWideWeb, Web Genius or Artificius Browser) that, in practice, were detected by several security solutions such as PUP. The analysis revealed that these installers incorporated a commercial update mechanism - developed with the Advanced Installer tool - that could download and install MSI and PowerShell scripts in a completely quiet way and with permission lifting. More information about Advanced Installer in your official documentation: https: / / www.advancedinstaller.com / user-guide / tutorial-update.html.

The remote installer downloaded by this mechanism was camouflaged (for example, a Setup.msi file presented as an image) and, although on community analysis platforms such as VirusTotal is only indicated by a few detectors, its content included legitimate components used by Advanced Installer and also a configuration file with custom actions. Before deploying its main load the MSI carried out a team recognition: it checked whether the process was run with administrative privileges, whether the environment was a virtual machine, whether it had access to the Internet and what antivirus solutions were present in the register (researchers saw checks directed at products from manufacturers such as Malharebytes, Kaspersky, McAfee and ESET).

The deactivation routine was materialized in a PowerShell script named by analysts such as ClockRemoval.ps1, which was housed in multiple locations and configured to run at the start of the system, at the start of the session and periodically every half hour. This script was not limited to stopping processes or services: it tried to uninstall security products silently, erased associated folders and log entries, forced removal when disinstallers failed and blocked the reinstallation or updating of suppliers by modifying the host file or cancelling their domains (redirecting them to 0.0.0). In addition, the attacker seemed to avoid interference with legitimate browser installers - such as Chrome, Edge, Firefox or Opera - to ensure the persistence of its modifications and readdresses.

A critical detail in this incident is that the main domains used by the update functionality were not registered by the operator; that left thousands of teams looking for instructions in domain names that were left free. The researchers took advantage of this situation to register the main domain, which allowed them to observe tens of thousands of outgoing connections from compromised machines and, in passing, to prevent a third party from taking over the domain and sending arbitrary orders or payloads to already unprotected hostile. This type of take-over of the update domain is a delicate defensive intervention that has already been used in previous investigations to prevent further escalation.

The scope identified by analysts included hundreds of teams in strategic networks: an important volume in academic institutions in various regions, industrial and transport control systems, public administrations and some health environments. Although at the time of finding the main burden was focused on disabling security solutions and generating revenue from advertising, researchers warn that the infrastructure and delivery mechanism could put any network at risk: If a malicious actor took control of the update domain, it could distribute much more harmful software to thousands of machines that no longer have active protection.

For IT teams and incident response, published analyses provide practical indicators that should be reviewed immediately: to search for processes signed by Dragon Boss Solutions LLC, to inspect subscriptions of WMI events containing chains such as "MbRemoval" or "MbSetup," and to check scheduled tasks that refer names such as "WMiload" or "ClockRemoval." It is also recommended to audit the host file in search of entries that block security provider domains and review Microsoft Defender exclusions for unusual routes (e.g., entries that start with "DGoogle," "EMicrosoft" or "DDapps"). To better understand how to manage exclusions in Defender, please see the official Microsoft documentation: https: / / learn.microsoft.com.

While the technical description may sound complex, the central idea is simple: a component that initially seems harmless can become a powerful back door if it incorporates an update mechanism with high permissions and remote access. Therefore, beyond point detection and removal, organizations must strengthen their digital hygiene: to control which firms and suppliers are allowed to install software, to limit the lifting of privileges through policies, to monitor their updating channels and to maintain response procedures that will enable them to recover machines that have lost their defenses.

Public reports of this incident include the work of the company that detected it and the coverage in specialized media. To follow the original notes and technical analyses, see Huntress's main page, which was the firm that investigated the case, as well as means that collected the additional information and contexts: https: / / www.huntress.com / and the technical research header BleepingComputer. The MSI file used in the test appears in VirusTotal and can be examined from the analysis platform: VirusTotal: MSI hash. For general information on the consequences of modifications to the host file and why attackers use it to block updates, Microsoft technical documentation is a reference resource: edit the hosts file on Windows.

In short, this case recalls that malicious actors do not always need to deploy complex Trojans from the beginning: sometimes it is enough with a signed software piece that abuses a legitimate updating mechanism to turn off the lights of a network and prepare the ground for major threats. Maintaining software control policies, monitoring unusual update patterns and responding promptly to signs of AV deactivation are measures that can today avoid a crisis tomorrow.