Researchers at Huntress have uncovered a sophisticated threat hidden within what appeared to be adware, revealing that a single unregistered domain available for as little as $10 could have granted malicious actors silent control over more than 25,000 compromised endpoints worldwide.
The software at the center of the investigation is signed by Dragon Boss Solutions, which describes itself as a search monetization research firm based in the United Arab Emirates.
Though long categorized as a potentially unwanted program (PUP) with browser hijacking capabilities, an analysis by Huntress researchers found that the software had quietly evolved into something far more dangerous.
Starting in March 2025, Huntress analysts observed it deploying a PowerShell-based payload that runs with elevated privileges to disable cybersecurity products, block their update servers, and prevent their reinstallation.
The malware achieves persistence through five scheduled tasks and WMI event subscriptions that survive reboots. It also adds Windows Defender exclusions for directories used to stage future payloads, which could include cryptominers, ransomware, or infostealers.
The most alarming discovery was in the software’s update configuration. The primary domain used to deliver payload updates (chromsterabrowser[.]com) was unregistered. Anyone who purchased it could have served arbitrary code to every affected host, with no exploitation required, since antivirus protection was already disabled on those machines................
www.securityweek.com
The software at the center of the investigation is signed by Dragon Boss Solutions, which describes itself as a search monetization research firm based in the United Arab Emirates.
Though long categorized as a potentially unwanted program (PUP) with browser hijacking capabilities, an analysis by Huntress researchers found that the software had quietly evolved into something far more dangerous.
Starting in March 2025, Huntress analysts observed it deploying a PowerShell-based payload that runs with elevated privileges to disable cybersecurity products, block their update servers, and prevent their reinstallation.
The malware achieves persistence through five scheduled tasks and WMI event subscriptions that survive reboots. It also adds Windows Defender exclusions for directories used to stage future payloads, which could include cryptominers, ransomware, or infostealers.
The most alarming discovery was in the software’s update configuration. The primary domain used to deliver payload updates (chromsterabrowser[.]com) was unregistered. Anyone who purchased it could have served arbitrary code to every affected host, with no exploitation required, since antivirus protection was already disabled on those machines................
$10 Domain Could Have Handed Hackers 25k Endpoints, Including in OT and Gov Networks
A single unregistered domain available for as little as $10 could have granted hackers control over 25,000 compromised endpoints worldwide.