Malware News When PUPs Grow Fangs: Dragon Boss Solutions Left an Open Door on 25,000+ Endpoints

[Khushal]

Content source

https://www.huntress.com/blog/pups-grow-fangs

Background
Early in the morning on Sunday, the 22 March, what appeared to be standard adware started triggering alerts across multiple environments managed by Huntress. The executables were using an update mechanism to conceal a multi-stage attack chain designed to systematically disable security tools.

These executables were signed by Dragon Boss Solutions LLC, a company claiming to conduct "search monetization research." The signed software silently fetches and executes payloads capable of killing antivirus products, all while running with SYSTEM privileges.

Huntress observed the antivirus killing capability starting in late March 2025, although the loaders/updaters dated back to late 2024. The operation uses an off-the-shelf software update mechanism to deploy these MSI and PowerShell-based payloads. Establishing WMI persistence, it disables security applications, and blocks reinstallation of protective software.

More concerning is it turned out to have an open door baked right into its update configuration, one which anyone with $10 could have walked straight through.

When PUPs Grow Fangs: Dragon Boss Solutions' $10 Supply Chain Risk | Huntress

Huntress uncovered a malware operation using signed PUP to deploy AV killers with SYSTEM privileges. Learn how this adware crosses the line into malware territory and how anyone could have hijacked their update mechanism.

www.huntress.com

Outcome
Looking at our example host, we see it successfully nuked “ESET Security” with it no longer being present, along with the exclusions that were added.

 

[Parkinsond]

Then it is not "potentially" unwanted program anymore, it is "definitely" unwanted program (DUP).
PUP term has to be reconsidered as it's usually underestimated regarding the potential damage it may lead to.

 

[Khushal]

Then it is not "potentially" unwanted program anymore, it is "definitely" unwanted program (DUP).
PUP term has to be reconsidered as it's usually underestimated regarding the potential damage it may lead to.

Yeah ESET lost because poor AV had no Behavior protection
Kaspersky was also targeted heavily in this attack but it persisted.

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses

opentip.kaspersky.com

 

[Victor M]

I thought the way to go was use bad drivers to take out EDRs. Like the old antirootkit TDSS Killer's driver. So much money poured into EDRs, gone in a puff.

 

[Zartarra]

Yeah ESET lost because poor AV had no Behavior protection
Kaspersky was also targeted heavily in this attack but it persisted.

Kaspersky Threat Intelligence Portal

Kaspersky Threat Intelligence Portal allows you to scan files, domains, IP addresses, and URLs for threats, malware, viruses

opentip.kaspersky.com

I see the same thing with Eset. Good with signature tests but new threats seems to be a problem. Also their webprotection seems to be lacking behind some other products. Latest tests were poor. It is still a great products. Great firewall and a lot of customization options. I hope they can improve behaviour blocking and webprotection.

 

[Dave Russo]

Any other Av"s tested?

 

[Wrecker4923]

I think the comments may have been in response to what's in the article. If that is so, then there are these information.

They specifically targeted Malwarebytes, Kaspersky, McAfee, and ESET installations (and, by default, Microsoft Defender).



ESET was totally nuked — it seems to have disappeared from the system, while the others remain, with Microsoft Defender getting exclusions added all over.

Although the fates of the other AVs weren't mentioned, their domains may or may not be blocked in the hosts file.

• The PUP program is not picked up by Microsoft or ESET.
• A secondary MSI is being picked up by ESET, but it's unclear if this would have stopped the nuke result that the researcher reported.

 

[SeriousHoax]

I think the comments may have been in response to what's in the article. If that is so, then there are these information.

They specifically targeted Malwarebytes, Kaspersky, McAfee, and ESET installations (and, by default, Microsoft Defender).

View attachment 297123
View attachment 297124
ESET was totally nuked — it seems to have disappeared from the system, while the others remain, with Microsoft Defender getting exclusions added all over.

Although the fates of the other AVs weren't mentioned, their domains may or may not be blocked in the hosts file.

• The PUP program is not picked up by Microsoft or ESET.
• A secondary MSI is being picked up by ESET, but it's unclear if this would have stopped the nuke result that the researcher reported.

Another thing is, ESET's PUA detection is opt-in. It asks the user whether they want to enable it or not. So if they didn't enable it then that could be one of the reasons why the disabler file wasn't detected.
Though this shouldn't be a major excuse because ESET'S self-defense was still bypassed.

 

[Khushal]

Another thing is, ESET's PUA detection is opt-in. It asks the user whether they want to enable it or not. So if they didn't enable it then that could be one of the reasons why the disabler file wasn't detected.
Though this shouldn't be a major excuse because ESET'S self-defense was still bypassed.

Even if pua detection was active, it would not have been detected as signatures were not present for VirusTotal

 

[Parkinsond]

with Microsoft Defender getting exclusions added all over.

My daily morning routine: check MD exclusions and check disk SMART by crystal disk info.

 

[SeriousHoax]

Even if pua detection was active, it would not have been detected as signatures were not present for VirusTotal

I meant this msi file,

VirusTotal

VirusTotal

www.virustotal.com

But as @Wrecker4923 correctly pointed out,

but it's unclear if this would have stopped the nuke result that the researcher reported.

I have posted this research in the ESET forum. Let's see if they say anything about it. Security firms often publicly deflect blame to other factors as a form of defense.

 

[Khushal]

I meant this msi file,

VirusTotal

VirusTotal

www.virustotal.com

But as @Wrecker4923 correctly pointed out,

I have posted this research in the ESET forum. Let's see if they say anything about it. Security firms often publicly deflect blame to other factors as a form of defense.

https://forum.eset.com/topic/48796-pup-turned-malicious-was-targetted-to-nuke-eset/