Ethical Hacking News
Threat actors have been utilizing a sophisticated multi-stage loader called RONINGLOADER to launch devastating attacks on Chinese-speaking users, employing evasion techniques and redundancies aimed at neutralizing endpoint security products. The Dragon Breath campaign highlights the evolving nature of cyber threats and the importance of staying vigilant in the face of sophisticated attacks.
The Dragon Breath threat actor is using a sophisticated multi-stage loader called RONINGLOADER to launch devastating attacks on Chinese-speaking users. Gh0st RAT malware is at the heart of the campaign, designed to communicate with a remote server to execute various malicious activities. The threat actor uses evasion techniques and redundancies to neutralize endpoint security products popular in the Chinese market. The Dragon Breath threat actor employs various techniques to evade detection by security software, including trojanized installers and custom WDAC policies. The malware targets Windows Defender Antivirus and blocks Chinese security vendors Qihoo 360 Total Security and Huorong Security. RONINGLOADER attempts to elevate its privileges by scanning for hard-coded antivirus-related solutions and injecting shellcode into the VSS service process. The malware uses a signed driver to terminate processes and creates firewall rules to block inbound and outbound connections associated with Qihoo 360 security software.
Threat actors have been utilizing a sophisticated multi-stage loader called RONINGLOADER to launch devastating attacks on Chinese-speaking users. The campaign, which has garnered significant attention in the cybersecurity community, employs a range of evasion techniques and redundancies aimed at neutralizing endpoint security products popular in the Chinese market. In this article, we will delve into the intricacies of the Dragon Breath threat actor's tactics, tools, and techniques (TTPs), as well as explore the implications of this campaign on the global cybersecurity landscape.
At the heart of the Dragon Breath campaign lies a malware tool called Gh0st RAT, which is designed to communicate with a remote server to fetch additional instructions that allow it to configure Windows Registry keys, clear Windows Event logs, download and execute files from provided URLs, alter clipboard data, run commands via "cmd.exe," inject shellcode into "svchost.exe," and execute payloads dropped to disk. The variant also implements a module that captures keystrokes, clipboard contents, and foreground window titles.
The Dragon Breath threat actor has been observed utilizing a range of techniques to evade detection by security software. These include employing trojanized NSIS installers masquerading as legitimate applications such as Google Chrome and Microsoft Teams, deploying custom WDAC policies, tampering with the Microsoft Defender binary through PPL abuse, and using an "intricate and elusive" infection chain that leverages intermediary redirection domains to fetch ZIP archives from public cloud service buckets.
The malware has also been observed employing two techniques documented earlier this year by security researcher Zero Salarium that abuse PPL and the Windows Error Reporting ("WerFaultSecure.exe") system (aka EDR-Freeze) to disable Microsoft Defender Antivirus. Furthermore, it targets Windows Defender Application Control (WDAC) by writing a malicious policy that explicitly blocks Chinese security vendors Qihoo 360 Total Security and Huorong Security.
The RONINGLOADER loader plays a crucial role in the Dragon Breath campaign, as it attempts to elevate its privileges by using the runas command and scans a list of running processes for hard-coded antivirus-related solutions. In the event the identified process is associated with Qihoo 360 Total Security (e.g., "360tray.exe," "360Safe.exe," or "ZhuDongFangYu.exe"), it takes a different approach, which involves blocking all network communication by changing the firewall and injecting shellcode into the VSS service process using the technique called PoolParty.
The malware has also been observed utilizing a signed driver named "ollama.sys" to terminate three processes by means of a temporary service called "xererre1". Additionally, it runs batch scripts to bypass User Account Control (UAC) and create firewall rules to block inbound and outbound connections associated with Qihoo 360 security software.
In terms of the supply chain attack vector, the Dragon Breath threat actor has been observed utilizing malicious NSIS installers masquerading as legitimate applications such as Google Chrome and Microsoft Teams. These installers act as a launchpad for two more embedded NSIS installers, one of which ("letsvpnlatest.exe") is benign and installs the legitimate software.
Furthermore, the second NSIS binary ("Snieoatwtregoable.exe") is responsible for stealthily triggering the attack chain. This involves delivering a DLL and an encrypted file ("tp.png"), with the former used to read the contents of the supposed PNG image and extract shellcode designed to launch another binary in memory.
In recent months, the Dragon Breath threat actor has been observed employing two interconnected malware campaigns that have employed "large-scale brand impersonation" to deliver Gh0st RAT to Chinese-speaking users. The first campaign – named Campaign Trio – took place between February and March 2025 by mimicking i4tools, Youdao, and DeepSeek across over 2,000 domains.
The second campaign, detected in May 2025, is said to have been more sophisticated, impersonating more than 40 applications, including QQ Music and Sogou browser. The second wave has been codenamed Campaign Chorus.
Security researchers have noted that the Dragon Breath threat actor advanced from simple droppers to complex, multi-stage infection chains that misuse legitimate, signed software to bypass modern defenses.
This campaign is a stark reminder of the evolving nature of cyber threats and the importance of staying vigilant in the face of sophisticated attacks. As threat actors continue to innovate and refine their tactics, it is essential for organizations to remain proactive and implement robust security measures to protect themselves against such campaigns.
In conclusion, the Dragon Breath threat actor's utilization of RONINGLOADER to disable security tools and deploy Gh0st RAT represents a significant escalation in the threat landscape. This campaign serves as a wake-up call for organizations to reassess their cybersecurity posture and take proactive steps to mitigate the risks associated with sophisticated attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Multistage-Malware-Campaign-How-Dragon-Breath-Utilizes-RONINGLOADER-to-Disable-Security-Tools-and-Deploy-Gh0st-RAT-ehn.shtml
https://thehackernews.com/2025/11/dragon-breath-uses-roningloader-to.html
https://gbhackers.com/roningloader/
Published: Mon Nov 17 06:04:57 2025 by llama3.2 3B Q4_K_M
