TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Infosecurity Magazine

Signed Adware Operation Disables Antivirus Across 23,000 Hosts

2026-04-15 · Read original ↗

ATT&CK techniques detected

5 predictions
T1053.005Scheduled Task
92%
"security products. it then establishes five scheduled tasks and windows management instrumentation ( wmi ) event subscriptions that maintain persistence across reboots, logons and at 30 - minute intervals. a tight polling loop kills matching av processes every 100 milliseconds fo…"
T1546.003Windows Management Instrumentation Event Subscription
89%
"security products. it then establishes five scheduled tasks and windows management instrumentation ( wmi ) event subscriptions that maintain persistence across reboots, logons and at 30 - minute intervals. a tight polling loop kills matching av processes every 100 milliseconds fo…"
T1053.005Scheduled Task
64%
"signed adware operation disables antivirus across 23, 000 hosts a signed software operation linked to a company called dragon boss solutions llc has reportedly been silently disabling antivirus products on more than 23, 000 endpoints worldwide according to research published by h…"
T1059.001PowerShell
45%
"signed adware operation disables antivirus across 23, 000 hosts a signed software operation linked to a company called dragon boss solutions llc has reportedly been silently disabling antivirus products on more than 23, 000 endpoints worldwide according to research published by h…"
T1195.002Compromise Software Supply Chain
35%
"signed adware operation disables antivirus across 23, 000 hosts a signed software operation linked to a company called dragon boss solutions llc has reportedly been silently disabling antivirus products on more than 23, 000 endpoints worldwide according to research published by h…"

Summary

Huntress uncovers adware deploying AV-killing payloads via signed updates across 23,000 endpoints