A signed software operation linked to a company called Dragon Boss Solutions LLC has reportedly been silently disabling antivirus products on more than 23,000 endpoints worldwide. According to Huntress, the campaign used a legitimate code-signing certificate and an off-the-shelf update mechanism to deploy a PowerShell-based payload that systematically kills, uninstalls and blocks the reinstallation of security tools.
Huntress researchers first observed the antivirus-killing behaviour in late March 2025, though the underlying loaders had been present on some hosts since late 2024, with executables using Advanced Installer to poll remote servers for MSI-based updates. Once delivered, a script called ClockRemoval.ps1 executes with SYSTEM privileges, targeting products from Malwarebytes, Kaspersky, McAfee and ESET.
Sinkhole analysis revealed 23,565 unique IP addresses requesting instructions across 124 countries, with the US accounting for roughly 54% of connections, and infections affecting 324 high-value networks including universities, OT networks, government entities and healthcare organisations.