$10 Domain Could Have Handed Hackers 25k Endpoints, Including in OT and Gov Networks

Malware signed by Dragon Boss Solutions infected 25,000+ endpoints across 124 countries, including 221 universities, 41 OT/critical infrastructure networks, 35 government entities, and multiple Fortune 500 companies. The malware disables AV, persists via scheduled tasks and WMI, and relies on an unregistered update domain (chromsterabrowser[.]com) that any actor could register for ~$10 to push arbitrary code. If that domain was registered by an attacker, all 25k endpoints became remote code execution targets.

CRITICALAdvisoryApr 16, 2026

Action required

Immediately hunt for chromsterabrowser[.]com DNS requests and connections in your network logs. If found, assume compromise: isolate endpoints, capture memory, and scan for AV disablement, scheduled tasks, and WMI event subscriptions. Query all signed binaries from Dragon Boss Solutions for presence and execution.

Affected products

Dragon Boss SolutionsHuntress

Linked articles

$10 Domain Could Have Handed Hackers 25k Endpoints, Including in OT and Gov Networks

Source links

https://www.securityweek.com/10-domain-could-have-handed-hackers-25k-endpoints-including-in-ot-and-gov-networks/