Signed PUP Supply Chain Attack Deploys AV Killers with SYSTEM Privileges (Dragon Boss Solutions)

Indicators

• Presence of executables signed by 'Dragon Boss Solutions' on endpoints
• AV or EDR processes terminating unexpectedly without user or admin initiation
• SYSTEM-level processes spawned from PUP or adware installer parent processes
• Unsigned or unexpected binaries downloaded via an auto-update mechanism
• Disabled or killed antivirus/EDR software with no corresponding admin action
• Suspicious scheduled tasks or services created by adware installers
• Outbound network requests to Dragon Boss Solutions update infrastructure from non-admin processes
• Executables with valid digital signatures exhibiting AV-killing or privilege-escalation behaviour

Likely causes

• Insecure update mechanism in Dragon Boss Solutions PUP susceptible to domain or endpoint hijacking for ~$10
• PUP installer granted SYSTEM privileges, enabling high-privilege payload execution during update cycles
• Absence of code signing validation or hash integrity checks on downloaded update payloads
• Update infrastructure domain registrable cheaply, enabling opportunistic or targeted supply chain hijack
• Trusted digital signature on PUP bypassing security tool detection heuristics
• Intentional or negligent bundling of AV killer tooling within the adware distribution pipeline

Diagnostic steps

1. Identify Dragon Boss Solutions signed executables on the endpoint using PowerShell: Get-AuthenticodeSignature -FilePath <path> | Select SignerCertificate, Status — or use Sysinternals Sigcheck across suspect directories: sigcheck.exe -accepteula -c <directory>
2. Enumerate SYSTEM-level processes spawned by PUP or adware parents using Process Monitor (filter: User = SYSTEM, Parent process = known PUP executable) or via EDR process tree telemetry
3. Review Windows System Event Log for AV/EDR service stop events: Get-WinEvent -LogName System | Where-Object { $_.Id -eq 7036 } | Where-Object { $_.Message -like '*stopped*' } — correlate timestamps with PUP update activity
4. Inspect scheduled tasks and services created by the PUP installer: schtasks /query /fo LIST /v | findstr /i 'dragon' and sc query type= all | findstr /i 'dragon' — document all matches for removal
5. Monitor network traffic for outbound connections to Dragon Boss Solutions update servers using Wireshark or endpoint telemetry; flag binary downloads over plain HTTP or from recently registered or low-reputation domains
6. Run Sysinternals Autoruns to enumerate all persistence mechanisms (scheduled tasks, services, registry Run keys) associated with Dragon Boss Solutions software: autoruns.exe -accepteula -a *
7. Query EDR telemetry or Microsoft Defender for Endpoint Advanced Hunting for known AV killer tool hashes, BYOVD driver loads, or service manipulation events originating from PUP processes
8. Validate integrity of any auto-update binaries by comparing file hashes against vendor-published values: CertUtil -hashfile <downloaded_file> SHA256 — and verify digital signatures using Get-AuthenticodeSignature or Sigcheck

Resolution path

• Immediately isolate all affected endpoints from the network to prevent further payload delivery or lateral movement
• Terminate all running processes associated with Dragon Boss Solutions signed executables
• Remove all Dragon Boss Solutions executables, installers, and update binaries from affected systems
• Delete all scheduled tasks, services, and registry Run/RunOnce entries created by the PUP installer
• Restore or reinstall any disabled or killed AV/EDR solutions from known-good media or deployment tooling
• Block Dragon Boss Solutions update server domains and IP ranges at the perimeter firewall, DNS filter, and web proxy layers
• Conduct a full malware scan with an updated, known-good AV solution on all affected systems
• Review enterprise certificate trust stores and consider revoking or distrust of the Dragon Boss Solutions signing certificate
• Perform a credential review for all accounts active on compromised endpoints and reset passwords where exposure is suspected
• Report the malicious signed PUP to the relevant Certificate Authority (CA) to initiate certificate revocation proceedings
• Notify affected users of the incident and provide guidance on identifying further suspicious activity

Prevention

• Implement application allowlisting (e.g., via Windows Defender Application Control or AppLocker) to block unauthorised executables regardless of digital signature status
• Enforce update mechanism integrity checks for all software — require signed manifests, TLS-pinned connections, and hash verification before executing downloaded updates
• Alert on AV/EDR service stop events (Event ID 7036) in SIEM with immediate escalation to security operations
• Audit and restrict software that requests or runs with SYSTEM privileges during installation or update phases
• Use DNS filtering and web proxy controls to block connections to newly registered, low-reputation, or uncategorised domains
• Regularly audit installed software estate for PUPs and adware using endpoint management tooling (e.g., Intune, SCCM, or EDR inventory)
• Subscribe to threat intelligence feeds to receive early warning of compromised signing certificates or malicious signed software
• Educate IT procurement and end users on the risks of PUPs, bundled adware, and free software distribution channels
• Monitor certificate transparency logs for newly issued certificates to known or suspected malicious organisations

Tools

• Sysinternals Sigcheck (signature and certificate verification)
• Sysinternals Autoruns (persistence mechanism enumeration)
• Sysinternals Process Monitor (process and network activity tracing)
• Windows PowerShell (Get-AuthenticodeSignature, Get-WinEvent)
• Wireshark (network traffic analysis)
• Huntress EDR / Managed Detection and Response platform
• Microsoft Defender for Endpoint / Advanced Hunting (KQL queries)
• Microsoft Sentinel (SIEM correlation)
• CertUtil (file hash verification)

References

• When PUPs Grow Fangs: Dragon Boss Solutions' $10 Supply Chain Risk – Huntress Blog