Overview
- Huntress registered the operation’s primary update domain and sinkholed traffic, then saw 23,565 to roughly 25,000 unique IPs from 124 countries reach out for instructions, with the U.S. as the largest share.
- The unregistered domain meant a low-cost purchase could have pushed any payload to all infected hosts because the updater already ran with system privileges.
- The campaign used a PowerShell script called ClockRemoval.ps1 to kill and uninstall antivirus tools, block their update sites via the hosts file, and persist through five scheduled tasks and WMI event subscriptions.
- Sinkhole data identified 324 infected endpoints inside sensitive environments, including 221 universities, 41 operational technology networks, 35 government entities, and three healthcare organizations.
- Researchers tie the signed software to Dragon Boss Solutions LLC and urge admins to hunt for WMI items labeled MbRemoval or MbSetup, tasks named WMILoad or ClockRemoval, and Defender exclusions or hosts-file entries that block security vendors.