The $10 Catastrophe: How a Forgotten Domain Nearly Handed Hackers the Keys to 25,000 Critical Systems

It started as a routine investigation into browser adware, but what Huntress researchers discovered was a ticking time bomb: a single, unclaimed web domain, available for just $10, that could have handed cybercriminals undetectable control of more than 25,000 computers worldwide - including systems inside electric utilities, government agencies, and universities.

Fast Facts

• Unregistered domain linked to malware could have enabled remote control over 25,000 endpoints.
• Targets included 41 operational technology (OT) networks, 35 government entities, and hundreds of educational institutions.
• The malware disabled antivirus protections, making infected systems defenseless.
• Infections spanned 124 countries, with the US, France, Canada, UK, and Germany most affected.
• Researchers sinkholed the domain to prevent widespread exploitation.

The Anatomy of a Near-Miss

At the center of this cyber drama is an innocuous-looking software package, signed by a UAE-based company, Dragon Boss Solutions. Long dismissed as a mere browser hijacker or “potentially unwanted program” (PUP), the software had quietly evolved into a stealthy and highly capable threat.

Starting in March 2025, Huntress analysts observed the malware deploying PowerShell scripts with administrative privileges. These scripts systematically disabled security tools, blocked update servers, and created persistent footholds on infected machines using scheduled tasks and WMI event triggers. The malware even added exceptions in Windows Defender to hide its future payloads, opening the door for more dangerous follow-up attacks like ransomware or cryptomining.

The most chilling aspect, however, lay in its update mechanism. All payload updates were to be fetched from a single domain: chromsterabrowser[.]com. But when Huntress checked, the domain was unregistered - meaning anyone, friend or foe, could buy it for a few dollars and instantly gain command over every compromised endpoint. With antivirus defenses already neutralized, a malicious actor could have silently pushed any code, from espionage tools to destructive malware, across 25,000 systems.

Acting quickly, Huntress registered the domain and set up a “sinkhole” to observe traffic. The results were staggering: connections poured in from 124 countries, including not only ordinary users but also Fortune 500 companies, electric utilities, government offices, and universities. Among the 324 most sensitive networks, 41 were OT environments - systems that control physical infrastructure like power grids and transport.

Security experts warn that while this particular bullet was dodged, the incident exposes a glaring weakness: the critical importance of domain management in the software supply chain. A simple oversight - an unregistered update domain - could have enabled a global cyber disaster, all for the price of a fast-food lunch.

Conclusion

This episode serves as a sobering reminder: in cybersecurity, sometimes the smallest lapses can have the most catastrophic consequences. As organizations scramble to hunt for signs of compromise, the $10 near-miss stands as a cautionary tale about vigilance, supply chain security, and the razor-thin margin between safety and chaos in the digital age.

WIKICROOK

• Endpoint: An endpoint is any device, such as a computer or smartphone, that connects to a network and must be kept secure and updated to prevent cyber threats.
• Operational Technology (OT): Operational Technology (OT) includes computer systems that control industrial equipment and processes, often making them more vulnerable than traditional IT systems.
• Persistence: Persistence involves techniques used by malware to survive reboots and stay hidden on systems, often by mimicking legitimate processes or updates.
• Sinkhole: A sinkhole is a cybersecurity method that redirects malicious traffic to controlled servers, allowing experts to block attacks and study cyber threats.
• Indicator of Compromise (IoC): An Indicator of Compromise (IOC) is a clue, like a suspicious file or IP address, that signals a system may have been hacked.