A digitally signed adware tool has deployed payloads running with SYSTEM privileges that disabled antivirus protections on thousands of endpoints, some in the educational, utilities, government, and healthcare sectors.

In a single day, researchers observed more than 23,500 infected hosts in 124 countries trying to connect to the operator’s infrastructure, with hundreds of infected endpoints present in high-value networks.