A cyber threat actor known as DragonBreath has initiated a new campaign deploying a sophisticated malware loader named RoningLoader. This malware is specifically aimed at individuals conversing in Chinese, masquerading as legitimate applications like Google Chrome and Microsoft Teams.
Advanced Evasion Techniques
RoningLoader’s strength lies in its multi-layered evasion methods, incorporating DLL side-loading, code injection, and the use of signed kernel drivers to discreetly disable security software. This malware was first identified in November 2025, with Elastic Security Labs highlighting its targeting of Chinese endpoint detection tools.
The malware propagates via compromised NSIS installers, a legitimate installation framework often misused by attackers. Upon execution, these installers clandestinely deposit a malicious DLL and an encrypted file camouflaged as a PNG image. This encrypted file contains shellcode that advances the attack in memory, minimizing disk traces.
Post-Compromise Activities
Researchers at AttackIQ have thoroughly analyzed RoningLoader’s post-compromise activities, aligning them with the MITRE ATT&CK framework. Their investigation reveals a technically advanced threat designed to continue functioning even if one evasion layer is compromised, ensuring persistence.
The malware not only loads malicious software but actively deactivates security products like Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. It achieves this by utilizing a legitimately signed kernel driver to terminate these processes at the kernel level, bypassing regular protections.
Implications and Global Reach
In its final stage, RoningLoader deploys a modified version of gh0st RAT, providing attackers with full remote access for data theft, lateral movements, and prolonged espionage. DragonBreath, also known as APT-Q-27, has been active since at least 2020, frequently targeting online gaming and gambling sectors across China, Taiwan, Hong Kong, Japan, Singapore, and the Philippines.
The group has continuously refined its techniques, with RoningLoader representing its most technically proficient campaign to date. The malware employs multiple evasion strategies, ensuring that failure in one method does not hinder its operations.
Security Recommendations
Security teams are advised to monitor for unusual DLL loads from trusted Windows executables and flag instances of regsvr32.exe launching without user initiation. Alerts for User Account Control registry modifications, unexpected service creations, and token changes should also be established.
Regular validation of security controls against RoningLoader’s documented tactics, techniques, and procedures through adversarial emulation can aid in identifying and mitigating potential vulnerabilities before they are exploited in real attacks.
Stay updated with the latest cybersecurity news by following us on Google News, LinkedIn, and X. Set CSN as a preferred source on Google for real-time updates.
