The menace actor referred to as Dragon Breath has been noticed making use of a multi-stage loader codenamed RONINGLOADER to ship a modified variant of a distant entry trojan referred to as Gh0st RAT.
The marketing campaign, which is primarily aimed toward Chinese language-speaking customers, employs trojanized NSIS installers masquerading as reliable like Google Chrome and Microsoft Groups, in keeping with Elastic Safety Labs.
“The an infection chain employs a multi-stage supply mechanism that leverages varied evasion methods, with many redundancies aimed toward neutralising endpoint safety merchandise standard within the Chinese language market,” safety researchers Jia Yu Chan and Salim Bitam stated. “These embrace bringing a legitimately signed driver, deploying customized WDAC insurance policies, and tampering with the Microsoft Defender binary by PPL [Protected Process Light] abuse.”
Dragon Breath, often known as APT-Q-27 and Golden Eye, was beforehand highlighted by Sophos in Might 2023 in reference to a marketing campaign that leveraged a method referred to as double-dip DLL side-loading in assaults focusing on customers within the Philippines, Japan, Taiwan, Singapore, Hong Kong, and China.
The hacking group, assessed to be lively since at the very least 2020, is linked to a bigger Chinese language-speaking entity tracked as Miuuti Group that is identified for attacking the net gaming and playing industries.
Within the newest marketing campaign documented by Elastic Safety Labs, the malicious NSIS installers for trusted purposes act as a launchpad for 2 extra embedded NSIS installers, one in all which (“letsvpnlatest.exe”) is benign and installs the reliable software program. The second NSIS binary (“Snieoatwtregoable.exe”) is liable for stealthily triggering the assault chain.
This includes delivering a DLL and an encrypted file (“tp.png”), with the previous used to learn the contents of the supposed PNG picture and extract shellcode designed to launch one other binary in reminiscence.
RONINGLOADER, in addition to making an attempt to take away any userland hooks by loading a recent new “ntdll.dll,” tries to raise its privileges by utilizing the runas command and scans an inventory of operating processes for hard-coded antivirus-related options, comparable to Microsoft Defender Antivirus, Kingsoft Web Safety, Tencent PC Supervisor, and Qihoo 360 Complete Safety.
The malware then proceeds to terminate these recognized processes. Within the occasion the recognized course of is related to Qihoo 360 Complete Safety (e.g., “360tray.exe,” “360Safe.exe,” or “ZhuDongFangYu.exe”), it takes a special method. This step includes the next sequence of actions –
Block all community communication by altering the firewall
Inject shellcode into the method (vssvc.exe) related to the Quantity Shadow Copy (VSS) service, however not earlier than granting itself the SeDebugPrivilege token
Begin the VSS service and get its course of ID
Inject shellcode into the VSS service course of utilizing the method referred to as PoolParty
Load and make use of a signed driver named “ollama.sys” to terminate the three processes by the use of a brief service referred to as “xererre1”
Restore the firewall settings
For different safety processes, the loader immediately writes the motive force to disk and creates a brief service referred to as “ollama” to load the motive force, carry out course of termination, and cease and delete the service.
RONINGLOADER Execution circulation
As soon as all safety processes have been killed on the contaminated host, RONINGLOADER runs batch scripts to bypass Consumer Account Management (UAC) and create firewall guidelines to dam inbound and outbound connections related to Qihoo 360 safety software program.
The malware has additionally been noticed utilizing two methods documented earlier this 12 months by safety researcher Zero Salarium that abuse PPL and the Home windows Error Reporting (“WerFaultSecure.exe”) system (aka EDR-Freeze) to disable Microsoft Defender Antivirus. Moreover, it targets Home windows Defender Utility Management (WDAC) by writing a malicious coverage that explicitly blocks Chinese language safety distributors Qihoo 360 Complete Safety and Huorong Safety.
The tip objective of the loader is to inject a rogue DLL into “regsvr32.exe,” a reliable Home windows binary, to hide its exercise and launch a next-stage payload into one other reliable, high-privilege system course of like “TrustedInstaller.exe” or “elevation_service.exe.” The ultimate malware deployed is a modified model of Gh0st RAT.
The Trojan is designed to speak with a distant server to fetch further directions that enable it to configure Home windows Registry keys, clear Home windows Occasion logs, obtain and execute information from supplied URLs, alter clipboard knowledge, run instructions through “cmd.exe,” inject shellcode into “svchost.exe,” and execute payloads dropped to disk. The variant additionally implements a module that captures keystrokes, clipboard contents, and foreground window titles.
Model Impersonation Campaigns Goal Chinese language Audio system with Gh0st RAT
The disclosure comes as Palo Alto Networks Unit 42 stated it recognized two interconnected malware campaigns which have employed “large-scale model impersonation” to ship Gh0st RAT to Chinese language-speaking customers. The exercise has not been attributed to any identified menace actor or group.
Whereas the primary marketing campaign – named Marketing campaign Trio – came about between February and March 2025 by mimicking i4tools, Youdao, and DeepSeek throughout over 2,000 domains, the second marketing campaign, detected in Might 2025, is alleged to have been extra refined, impersonating greater than 40 purposes, together with QQ Music and Sogou browser. The second wave has been codenamed Marketing campaign Refrain.
“From the primary marketing campaign to the second, the adversary superior from easy droppers to advanced, multi-stage an infection chains that misuse reliable, signed software program to bypass fashionable defenses,” safety researchers Keerthiraj Nagaraj, Vishwa Thothathri, Nabeel Mohamed, and Reethika Ramesh stated.
The domains have been discovered to host ZIP archives containing the trojanized installers, finally paving the best way for the deployment of Gh0st RAT. The second marketing campaign, nonetheless, not solely leverages extra software program applications as lures to succeed in a wider demographic of Chinese language audio system, but additionally employs an “intricate and elusive” an infection chain utilizing middleman redirection domains to fetch the ZIP archives from public cloud service buckets.
Marketing campaign Refrain Assault Chain
In doing so, the method can bypass community filters which are able to blocking site visitors from unknown domains, to not point out the menace actor’s operational resilience. The MSI installer, on this case, additionally runs an embedded Visible Fundamental Script that is liable for decrypting and launching the ultimate payload by the use of DLL side-loading.
“The parallel operation of each previous and new infrastructure by sustained exercise suggests an operation that’s not merely evolving however consists of a number of infrastructures and distinct device units concurrently,” the researchers stated. “This might point out A/B testing of TTPs, focusing on totally different sufferer units with totally different ranges of complexity, or just a cheap technique of constant to leverage older property so long as they continue to be efficient.”
