Researchers Expose $10 Domain Controlling 25,000 Endpoints in Global Hack

Key Points

• A $10 domain controlled over 25,000 endpoints via a privileged PowerShell payload.
• Affected networks included universities, OT, government, and healthcare entities.
• The payload disabled cybersecurity products and blocked their updates.

Full Details

Researchers at Huntress have revealed a sophisticated cyber threat hidden within what appeared to be adware, where a single unregistered domain available for as little as $10 could have granted malicious actors silent control over more than 25,000 compromised endpoints worldwide. Starting in March 2025, the domain deployed a PowerShell-based payload running with elevated privileges to disable cybersecurity products, block update servers, and prevent reinstallation. Among the observed hosts, 324 belonged to sensitive networks, including 221 universities and colleges, 41 operational technology (OT) networks, 35 government entities, and three healthcare organizations. The attack highlights the vulnerability of critical infrastructure to low-cost, high-impact threats. This discovery underscores the need for enhanced monitoring of domain registrations and endpoint security in sensitive sectors.