A digitally signed adware tool has deployed payloads running with SYSTEM privileges that disabled antivirus protections on thousands of endpoints, some in the educational, utilities, government, and healthcare sectors. In a single day, researchers observed more than 23,500 infected hosts in 124 countries trying to connect to the operator's infrastructure, with hundreds of infected endpoints present in high-value networks. Security researchers at managed security company Huntress discovered the campaign on March 22, when signed executables viewed as potentially unwanted programs (PUPs) triggered alerts in multiple managed environments. PUPs, or adware, are regarded more as a nuissance than malicious, as their role is typically to generate revenue for the developer by showing advertisement pop-ups, banners, or through browser redirects. Huntress researchers say that the software was signed by a company called Dragon Boss Solutions LLC, involved in "search monetization research" activity and promoting various tools (e.g., Chromstera Browser, Chromnius, WorldWideWeb, Web Genius, Artificius Browser) labeled as browsers but detected as PUPs by multiple security solutions. Beyond annoying users with ads and redirects, Huntress researchers say the browsers from Dragon Boss Solutions also feature an advanced update mechanism that deploys an antivirus killer. Huntress researchers discovered that the operation relied on the update mechanism from the commercial Advanced Installer authoring tool to deploy MSI and PowerShell payloads. Analyzing the configuration file for the update process revealed several flags that made the operation completely silent and with no user interaction. It also installed the payloads with elevated privileges (SYSTEM), prevented users from disabling automatic updates, and checked frequently for new updates.