一次即时的软件更新将一个广告程序转变成了杀毒软件(AV)破坏者,使全球五大洲的近2.4万个计算机系统面临后续网络攻击的威胁。
人们往往认为广告软件和其他形式的潜在不受欢迎程序(PUP)只不过是一种低级的骚扰。去年,一个伪装成公司的威胁行为者向世界展示了这些程序的真正实力。在感染了全球数万个个人和组织后,它推送了一个恶意更新,将其广告软件变成了纯粹的恶意软件。幸运的是,研究人员识别并封锁了该恶意软件的主要更新域名,减轻了进一步的损害。
这起行动背后的威胁行为者Dragon Boss Solutions LLC声称是一家总部位于阿联酋的注册公司。其业务表面上是研究浏览器扩展和桌面应用的“搜索货币化解决方案”,实际上是在应用程序中运行广告软件。大约一年前,为了对抗杀毒软件的拦截,该团队决定采取行动。这些程序利用一种名为“Advanced Installer”的普遍工具来组织文件并简化安装过程,其中自动更新功能被恶意利用,用于周期性检查并推送破坏性补丁。
5 Min ReadSource: Artem Medvediev via Alamy Stock PhotoAn instant software update turned an adware program into an antivirus (AV) destroyer, priming nearly 24,000 computer systems on five continents for follow-on cyberattacks.People tend to view adware, and other forms of potentially unwanted programs (PUPs), as little more than a lowly annoyance. It doesn't help that PUPs is such a cute acronym, and that the name "potentially unwanted programs" is an unnecessarily polite misnomer for what these programs actually are: malware, masquerading as legal software.One threat actor, disguised as a corporation, did its best last year to show the world what these niggling programs are truly capable of. After infecting a couple tens of thousands of mildly annoyed individuals and organizations worldwide, it pushed a malicious update that turned its adware into straight-up malware. Thankfully, with $10 and a little bit of gumption, researchers at Huntress identified and sinkholed the malware's primary update domain, mitigating further damage.Related:6-Year Ransomware Campaign Targets Turkish Homes & SMBsAdware Campaign Turns DangerousThe threat actor behind this campaign, Dragon Boss Solutions LLC, claims to be a registered company based in the United Arab Emirates (UAE). Its Crunchbase profile states that it "engages in research to find the best Search Monetization Solutions for Browser Extensions, Software and Desktop Applications," which is a fancy way of saying that it runs adware in browsers and apps. Its adware is typically flagged by antivirus (AV) programs, and about a year ago, its proprietors decided to do something to fix that.Dragon Boss PUPs use a ubiquitous but surprisingly little-known program called "Advanced Installer" to organize all their files and such into a smooth installation process. One of Advanced Installer's most helpful features is its update tool, which automatically, periodically checks for new updates to Advanced Installer-packaged programs. In the early morning hours of March 22, 2025, Dragon Boss pushed an update to all its instances worldwide.The payload concealed in that update was designed to disable security tools that recognize and flag Dragon Boss adware, including AVs from ESET, McAfee, Kaspersky, and Malwarebytes. For good measure, it also established persistence via scheduled tasks, arranged for any future payloads to be excluded from Windows Defender, and more. Huntress researchers speculated this payload may have been written with help from an artificial intelligence (AI) tool, as all of its malicious actions are neatly described in inline code comments.Related:Hims Breach Exposes the Most Sensitive Kinds of PHIBy disabling AV solutions and establishing persistence, the adware could more effectively go about its business without interruption. Out of context, though, it looked just like a threat actor backdooring thousands of systems worldwide, setting the stage for follow-on cyberattacks. With another update, Dragon