ACCORDING to Huntress, researchers uncovered a sophisticated threat hidden inside adware, revealing that a single unregistered domain available for as little as $10 could have granted malicious actors silent control over more than 25,000 compromised endpoints worldwide. The software, signed by Dragon Boss Solutions and described as a search monetisation firm based in the United Arab Emirates, had evolved from a potentially unwanted program into a more dangerous tool.
Starting in March 2025, it deployed a PowerShell-based payload with elevated privileges to disable cybersecurity products, block update servers, and hinder reinstallation. It achieves persistence via five scheduled tasks and WMI event subscriptions, surviving reboots and adding Windows Defender exclusions for staging directories that could host cryptominers, ransomware, or infostealers.
The primary domain used for updates, chromsterabrowser[.]com, was unregistered, meaning purchasers could have served arbitrary code to every infected host with antivirus protection already disabled. Roughly 25,000 unique IP addresses across 124 countries appeared, including over 12,000 US hosts and about 2,000 each in the UK, France, Canada, and Germany, with 324 hosts in sensitive networks such as 221 universities, 41 OT networks, 35 government entities, and three healthcare organisations.