'Harmless' Global Adware Transforms Into an AV Killer

CYBERATTACKS & DATA BREACHES VULNERABILITIES & THREATS THREAT INTELLIGENCE ENDPOINT SECURITY NEWS 'Harmless' Global Adware Transforms Into an AV Killer A benign looking update Dragon Boss pushed out in March 2025 established persistence via scheduled tasks and arranged for future payloads to be excluded from Windows Defender. Nate Nelson,Contributing Writer April 16, 2026 5 Min Read SOURCE: ARTEM MEDVEDIEV VIA ALAMY STOCK PHOTO An instant software update turned an adware program into an antivirus (AV) destroyer, priming nearly 24,000 computer systems on five continents for follow-on cyberattacks. People tend to view adware, and other forms of potentially unwanted programs (PUPs), as little more than a lowly annoyance. It doesn't help that PUPs is such a cute acronym, and that the name "potentially unwanted programs" is an unnecessarily polite misnomer for what these programs actually are: malware, masquerading as legal software. One threat actor, disguised as a corporation, did its best last year to show the world what these niggling programs are truly capable of. After infecting a couple tens of thousands of mildly annoyed individuals and organizations worldwide, it pushed a malicious update that turned its adware into straight-up malware. Thankfully, with $10 and a little bit of gumption, researchers at Huntress identified and sinkholed the malware's primary update domain, mitigating further damage. Related:6-Year Ransomware Campaign Targets Turkish Homes & SMBs Adware Campaign Turns Dangerous The threat actor behind this campaign, Dragon Boss Solutions LLC, claims to be a registered company based in the United Arab Emirates (UAE). Its Crunchbase profile states that it "engages in research to find the best Search Monetization Solutions for Browser Extensions, Software and Desktop Applications," which is a fancy way of saying that it runs adware in browsers and apps. Its adware is typically flagged by antivirus (AV) programs, and about a year ago, its proprietors decided to do something to fix that. Dragon Boss PUPs use a ubiquitous but surprisingly little-known program called "Advanced Installer" to organize all their files and such into a smooth installation process. One of Advanced Installer's most helpful features is its update tool, which automatically, periodically checks for new updates to Advanced Installer-packaged programs. In the early morning hours of March 22, 2025, Dragon Boss pushed an update to all its instances worldwide. The payload concealed in that update was designed to disable security tools that recognize and flag Dragon Boss adware, including AVs from ESET, McAfee, Kaspersky, and Malwarebytes. For good measure, it also established persistence via scheduled tasks, arranged for any future payloads to be excluded from Windows Defender, and more. Huntress researchers speculated this payload may have been written with help from an artificial intelligence (AI) tool, as all of its malicious actions are neatly described in inline code comments. Related:Hims Breach Exposes the Most Sensitive Kinds of PHI By disabling AV solutions and establishing persistence, the adware could more effectively go about its business without interruption. Out of context, though, it looked just like a threat actor backdooring thousands of systems worldwide, setting the stage for follow-on cyberattacks. With another update, Dragon Boss could have easily uploaded ransomware, a botnet, or any other sort of malicious payload to infected systems. Even if the threat actor lacked the intent to do so, any other threat actor could have. Each instance of Dragon Boss adware had a primary URL from which it pulled updates, and a backup. When researchers looked into it, they found that the implants were receiving updates from a secondary domain, while their primary was left inexplicably unregistered. That meant that anyone who knew where to look could identify from whence all these implants were receiving instructions, register that domain for pocket change, and instantly push their own malware to a free set of victims. The Huntress researchers did so first, sinkholing the campaign. In doing so, they discovered that Dragon Boss's adware had spread to more than 23,500 computers in 124 countries, although half were based in the US, and most of the others in similarly wealthy Western countries. Though only a small percentage of the total, a number of high-value organizations were among the lot, including 35 government entities, 41 operational technology (OT) networks, 221 higher education institutions, and some Fortune 500 companies. Related:Fraud Rockets Higher in Mobile-First Latin America Ryan Dowd, principal security operations center analyst for Huntress, notes that "most instances had been present on the device dating back to as early as 2022, and accompanied by other PUPs, suggesting that it may have been bundled adware," but there isn't any proof one way or the other. The Thin Line Between Adware and Malware "The distinction between a PUP and traditional malware often relies on a thin line of user consent and technical intent, rather than the capabilities of the code itself," Dowd says. "In most cases, these types of programs fly under the radar of endpoint detection and response (EDR) as they want to persist and survive, in order to generate their revenue," but that's not always the case. Adware, in particular, has long blurred the line between grey and black hat behavior. Besides the Dragon Boss approach, "There's a long and storied history of adware secretly delivering malware and ransomware through the ads," says ad fraud crusader Dr. Augustine Fou, creator of FouAnalytics. "This technique is particularly effective for perps and particularly hard to detect for researchers." "For example, by geofencing a particular hospital, threat actors can surgically deliver ads laced with ransomware code to doctors surfing normal Web pages during their lunch break from an office computer at the hospital," he explains. "Often the malicious ads use the ad creative from reputable advertisers, like McDonald's, to look harmless; but the advertisers have no idea this is happening." If your organization has been hit hard by cyberattacks before, or if you'd just like to be extra careful, his advice is simple: "Block all ads from all computers on your network." Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven't) been, and what the future holds for AI security products. Listen now! About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports CISO Survey 2026: The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Echo Chamber, Prompts Used to Jailbreak GPT-5 in 24 Hours by Elizabeth Montalbano, Contributing Writer AUG 11, 2025 CYBERATTACKS & DATA BREACHES Researcher Says Patched Commvault Bug Still Exploitable by Jai Vijayan, Contributing Writer MAY 06, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 CYBERATTACKS & DATA BREACHES 'Fog' Hackers Troll Victims With DOGE Ransom Notes by Jai Vijayan, Contributing Writer APR 21, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection LOADING... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE