TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

When PUPs Grow Fangs: Dragon Boss Solutions' $10 Supply Chain Risk

2026-04-14 · Read original ↗

ATT&CK techniques detected

32 predictions
T1546.003Windows Management Instrumentation Event Subscription
100%
“the browser installers are likely included because legitimate browsers would potentially interfere with the adware ' s browser hijacking capabilities. persistence establishment the script creates five scheduled tasks running as system : for wmi persistence, the script establishes…”
T1218.007Msiexec
99%
“: msi execution to deploy an “ update ” looking at that task creation again, we see that it ’ s running out of msiexec and running a script called clockremoval. ps1. figure 6 : payload execution post “ update ” variations of executables notably, the executables and their install …”
T1053.005Scheduled Task
99%
“. this transforms a pup infection into a potential supply chain compromise. fortunately, huntress found this domain first. so we registered it ourselves, pointed it to a sinkhole, and within hours watched tens of thousands of compromised endpoints reach out looking for instructio…”
T1546.003Windows Management Instrumentation Event Subscription
97%
“. while pups are often dismissed as an annoyance or noise, in this case we treated these detections as a priority incident rather than routine adware cleanup. go and hunt in your environment for the wmi artifacts and scheduled tasks outlined above, or just anything with a “ drago…”
T1195.002Compromise Software Supply Chain
97%
“when pups grow fangs : dragon boss solutions ' $ 10 supply chain risk acknowledgments : special thanks to lindon wass and michael elford for their contributions to this research and blog. background early in the morning on sunday, the 22 march, what appeared to be standard adware…”
T1195.002Compromise Software Supply Chain
94%
“, locking users into a potentially vulnerable, modified browser version. these binaries have positive detections on virustotal. figure 22 : vt listing for modified chrome binary so what did huntress do? that unregistered domain concerned us to say the least. with system level cod…”
T1059.001PowerShell
93%
“##b4072ad56bb4083026c797b0345b2cce43862fc83! _ stringdata analysis before deploying the main payload, the installer conducts reconnaissance : - environment detection ( softwaredetector. dll ) - checks admin status ( ai _ detected _ admin _ user ) - detects virtual machine ( ai _ …”
T1218.007Msiexec
92%
“##querading as a gif image. figure 9 : update pointed to https : / / dl. isready26 [. ] online / image / ldk4945jfds. gif - vt payload analysis we now have the msi file ( sha256 : 40ac30ce1e88c47f317700cc4b5aa0a510f98c89e11c32265971564930418372 ), and unzipping it we see it conta…”
T1195.002Compromise Software Supply Chain
90%
“interaction. these elevated levels of persistence ensured there would be no uac or alarms related to the installation of an unsigned msi package. figure 24 : hijacking the update url in a lab environment the test confirmed what we suspected ; the update mechanism was fully functi…”
T1053.005Scheduled Task
90%
“the required signing conditions. all configured domains were intercepted by local dns resolvers and pointed towards lab tooling. we recreated the malicious update package by feeding a simple powershell payload ( in this case, launching calc. exe ) into an msi bundle that would be…”
T1059.001PowerShell
88%
“- runs clockremoval. ps1 via powershellscriptlauncher. dll - spawns 6 - minute self - termination timer - start - sleep - seconds 360 then kills. tmp processes clockremoval. ps1 : the av killer the malware author ( or more likely ai ) that wrote this nicely provided a synopsis an…”
T1546.003Windows Management Instrumentation Event Subscription
86%
“. this transforms a pup infection into a potential supply chain compromise. fortunately, huntress found this domain first. so we registered it ourselves, pointed it to a sinkhole, and within hours watched tens of thousands of compromised endpoints reach out looking for instructio…”
T1685Disable or Modify Tools
80%
“##oval. ps1 av processes get killed before they can fully initialize. wmi events alone may have a brief delay, and this polling loop covers that gap. following the kill loop, do - disableservicesregistryonly disables av services via registry manipulation and strips all av - relat…”
T1195.002Compromise Software Supply Chain
79%
“be something far more deliberate. dragon boss solutions ' browser - hijacking pup is signed with a legitimate code - signing certificate, hides behind a trusted update mechanism, and silently deploys a sophisticated av killer. the payload, clockremoval. ps1, does not just disable…”
T1195.002Compromise Software Supply Chain
75%
“the required signing conditions. all configured domains were intercepted by local dns resolvers and pointed towards lab tooling. we recreated the malicious update package by feeding a simple powershell payload ( in this case, launching calc. exe ) into an msi bundle that would be…”
T1195.002Compromise Software Supply Chain
75%
“protective software. more concerning is it turned out to have an open door baked right into its update configuration, one which anyone with $ 10 could have walked straight through. attack flow overview figure 1 : diagram showing attack path setting the stage most adware / potenti…”
T1584.004Server
65%
“protective software. more concerning is it turned out to have an open door baked right into its update configuration, one which anyone with $ 10 could have walked straight through. attack flow overview figure 1 : diagram showing attack path setting the stage most adware / potenti…”
T1059.001PowerShell
55%
“##oval. ps1 av processes get killed before they can fully initialize. wmi events alone may have a brief delay, and this polling loop covers that gap. following the kill loop, do - disableservicesregistryonly disables av services via registry manipulation and strips all av - relat…”
T1059.001PowerShell
55%
“when pups grow fangs : dragon boss solutions ' $ 10 supply chain risk acknowledgments : special thanks to lindon wass and michael elford for their contributions to this research and blog. background early in the morning on sunday, the 22 march, what appeared to be standard adware…”
T1053.005Scheduled Task
52%
“the browser installers are likely included because legitimate browsers would potentially interfere with the adware ' s browser hijacking capabilities. persistence establishment the script creates five scheduled tasks running as system : for wmi persistence, the script establishes…”
T1584.004Server
51%
“be something far more deliberate. dragon boss solutions ' browser - hijacking pup is signed with a legitimate code - signing certificate, hides behind a trusted update mechanism, and silently deploys a sophisticated av killer. the payload, clockremoval. ps1, does not just disable…”
T1568.002Domain Generation Algorithms
48%
“and pointed dns records to a sinkhole, then watched to see if any infected hosts would reach out. they did. immediately. over a 24 - hour observation period, we captured connection attempts from infected endpoints, all running dragon boss solutions software and reaching out to ou…”
T1564.012File/Path Exclusions
42%
“: # begin av - update - block - v1 ( clockremoval. ps1 ) # managed block : clockremoval. ps1 - avhostsblockrevert / - avhostsblockapply # redirect target : 0. 0. 0. 0 ( null - route ) 0. 0. 0. 0 data. service. malwarebytes. com 0. 0. 0. 0 downloads. malwarebytes. com 0. 0. 0. 0 a…”
T1505.004IIS Components
41%
“the required signing conditions. all configured domains were intercepted by local dns resolvers and pointed towards lab tooling. we recreated the malicious update package by feeding a simple powershell payload ( in this case, launching calc. exe ) into an msi bundle that would be…”
T1053.005Scheduled Task
39%
“. while pups are often dismissed as an annoyance or noise, in this case we treated these detections as a priority incident rather than routine adware cleanup. go and hunt in your environment for the wmi artifacts and scheduled tasks outlined above, or just anything with a “ drago…”
T1053.005Scheduled Task
35%
“- runs clockremoval. ps1 via powershellscriptlauncher. dll - spawns 6 - minute self - termination timer - start - sleep - seconds 360 then kills. tmp processes clockremoval. ps1 : the av killer the malware author ( or more likely ai ) that wrote this nicely provided a synopsis an…”
T1584.004Server
33%
“listing for “ dragon boss solutions ” although their website is currently offline, there are previous scans available that show a different location. figure 20 : urlscan. io listing for www. dragonboss [. ] com / contact / historically, their signature has been tracked as adware …”
T1071.001Web Protocols
32%
“states - 12, 697 hosts ( 53. 9 % ) - france - 2, 803 hosts ( 11. 9 % ) - canada - 2, 380 hosts ( 10. 1 % ) - united kingdom - 2, 223 hosts ( 9. 4 % ) - germany - 2, 045 hosts ( 8. 7 % ) high - value target analysis in a particularly concerning finding, based on the ip addresses o…”
T1047Windows Management Instrumentation
31%
“. while pups are often dismissed as an annoyance or noise, in this case we treated these detections as a priority incident rather than routine adware cleanup. go and hunt in your environment for the wmi artifacts and scheduled tasks outlined above, or just anything with a “ drago…”
T1072Software Deployment Tools
31%
“when pups grow fangs : dragon boss solutions ' $ 10 supply chain risk acknowledgments : special thanks to lindon wass and michael elford for their contributions to this research and blog. background early in the morning on sunday, the 22 march, what appeared to be standard adware…”
T1036.008Masquerade File Type
31%
“##querading as a gif image. figure 9 : update pointed to https : / / dl. isready26 [. ] online / image / ldk4945jfds. gif - vt payload analysis we now have the msi file ( sha256 : 40ac30ce1e88c47f317700cc4b5aa0a510f98c89e11c32265971564930418372 ), and unzipping it we see it conta…”
T1557.001Name Resolution Poisoning and SMB Relay
30%
“- runs clockremoval. ps1 via powershellscriptlauncher. dll - spawns 6 - minute self - termination timer - start - sleep - seconds 360 then kills. tmp processes clockremoval. ps1 : the av killer the malware author ( or more likely ai ) that wrote this nicely provided a synopsis an…”

Summary

Huntress uncovered a malware operation using signed PUP to deploy AV killers with SYSTEM privileges. Learn how this adware crosses the line into malware territory and how anyone could have hijacked their update mechanism.