Unregistered domain vulnerability exposed more than 25,000 systems to risk

Researchers have determined that a threat initially appearing to be adware-oriented unwanted software in fact posed a far more complex and serious risk. The investigation revealed that a domain name that could have been registered for as little as $10 might have enabled covert control over more than 25,000 compromised endpoints worldwide

The software at the center of the investigation was signed by Dragon Boss Solutions, a company that presents itself as a search monetization research firm based in the United Arab Emirates. Although the program had long been classified as a potentially unwanted program (PUP) with browser hijacking capabilities, further analysis showed that it had gradually evolved into something significantly more dangerous.

It has been reported that, starting in March 2025, the software began deploying PowerShell-based payloads running with elevated privileges. These payloads disable cybersecurity products, block their update servers and prevent their reinstallation.

To maintain persistence on infected systems, the malware uses five scheduled tasks and WMI event subscription mechanisms capable of surviving system reboots. In addition, directories used to stage future payloads are added to the Windows Defender exclusion list. According to researchers, such payloads could include cryptominers, ransomware samples, or information-stealing malware.

The most alarming finding emerged from the software’s update configuration. The primary domain used to deliver payload updates, chromsterabrowser[.]com, was found to be unregistered. This meant that any individual who purchased the domain could have delivered arbitrary code to infected systems where antivirus protection had already been disabled without requiring any additional exploitation stage.

Before the domain could be acquired by malicious actors, researchers registered it themselves, redirected it to sinkhole infrastructure and monitored the incoming traffic. As a result, approximately 25,000 unique IP addresses from real production environments attempting to obtain update instructions were observed communicating with the domain.

According to the findings, the infections spanned 124 countries. The scale of compromise among high-value targets proved particularly concerning. Of the observed hosts, 324 belonged to sensitive networks, including 221 universities and colleges, 41 operational technology (OT) networks, 35 government entities and three healthcare organizations. It was also noted that several of the affected networks belonged to Fortune 500 companies.