'Harmless' Global Adware Transforms Into an AV Killer

A previously benign-seeming application called Dragon Boss was distributed via a March 2025 update and has evolved into a significant threat capable of disabling antivirus defenses. The malware establishes persistence through Windows scheduled tasks and can exclude subsequent payloads from Windows Defender scanning. This transformation from seemingly harmless adware to an active anti-antivirus tool significantly elevates the risk to endpoint security. Organizations should immediately audit scheduled tasks, verify Windows Defender exclusions, and ensure all software updates are from verified sources. The AV bypass capability means traditional endpoint protection may be insufficient, requiring additional monitoring and network-based detection controls.

A benign looking update Dragon Boss pushed out in March 2025 established persistence via scheduled tasks and arranged for future payloads to be excluded from Windows Defender.

A previously benign-seeming application called Dragon Boss was distributed via a March 2025 update and has evolved into a significant threat capable of disabling antivirus defenses. The malware establishes persistence through Windows scheduled tasks and can exclude subsequent payloads from Windows Defender scanning. This transformation from seemingly harmless adware to an active anti-antivirus tool significantly elevates the risk to endpoint security. Organizations should immediately audit scheduled tasks, verify Windows Defender exclusions, and ensure all software updates are from verified sources. The AV bypass capability means traditional endpoint protection may be insufficient, requiring additional monitoring and network-based detection controls. A benign looking update Dragon Boss pushed out in March 2025 established persistence via scheduled tasks and arranged for future payloads to be excluded from Windows Defender. A benign looking update Dragon Boss pushed out in March 2025 established persistence via scheduled tasks and arranged for future payloads to be excluded from Windows Defender.