The threat actor known as Dragon Breath has recently been observed utilizing a sophisticated multi-stage loader, codenamed RONINGLOADER, to deploy a modified variant of the notorious remote access trojan, Gh0st RAT. This campaign primarily targets Chinese-speaking users and employs trojanized NSIS installers disguised as legitimate applications, such as Google Chrome and Microsoft Teams, as reported by Elastic Security Labs.
According to security researchers Jia Yu Chan and Salim Bitam, “The infection chain employs a multi-stage delivery mechanism that leverages various evasion techniques, with many redundancies aimed at neutralizing endpoint security products popular in the Chinese market.” The techniques include using a legitimately signed driver, deploying custom Windows Defender Application Control (WDAC) policies, and manipulating the Microsoft Defender binary through Protected Process Light (PPL) abuse.
Dragon Breath, also referred to as APT-Q-27 and Golden Eye, was previously highlighted by Sophos in May 2023 for its involvement in a campaign that utilized double-dip DLL side-loading techniques to target users across the Philippines, Japan, Taiwan, Singapore, Hong Kong, and China. Active since at least 2020, this hacking group is linked to a broader Chinese-speaking entity known as the Miuuti Group, which has a history of attacking the online gaming and gambling sectors.
RONINGLOADER’s Intricate Mechanism
In the latest campaign documented by Elastic Security Labs, the malicious NSIS installers for trusted applications serve as a launchpad for two additional embedded NSIS installers. One of these, named “letsvpnlatest.exe,” is benign and installs legitimate software, while the other, “Snieoatwtregoable.exe,” stealthily initiates the attack chain.
This attack chain involves delivering a DLL and an encrypted file labeled “tp.png.” The DLL is designed to read the contents of the seemingly innocuous PNG image and extract shellcode intended to launch another binary in memory. RONINGLOADER attempts to eliminate any userland hooks by loading a fresh “ntdll.dll” and seeks to elevate its privileges using the runas command. It also scans for running processes associated with popular antivirus solutions in the region, including Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security, proceeding to terminate those identified processes.
In cases where the identified process is linked to Qihoo 360 Total Security, RONINGLOADER executes a series of specific actions:
- Block all network communication by modifying the firewall settings.
- Inject shellcode into the Volume Shadow Copy (VSS) service process (vssvc.exe) after acquiring the SeDebugPrivilege token.
- Start the VSS service and obtain its process ID.
- Inject shellcode into the VSS service process using the PoolParty technique.
- Utilize a signed driver named “ollama.sys” to terminate three specific processes through a temporary service called “xererre1.”
- Restore the firewall settings to their original state.
For other security processes, RONINGLOADER directly writes the driver to disk and creates a temporary service named “ollama” to load the driver, perform process termination, and subsequently stop and delete the service. Once all security processes on the infected host have been neutralized, RONINGLOADER executes batch scripts to bypass User Account Control (UAC) and establish firewall rules that block all inbound and outbound connections associated with Qihoo 360 security software.
The malware has also been noted for employing techniques documented earlier this year by security researcher Zero Salarium, which exploit PPL and the Windows Error Reporting (WerFaultSecure.exe) system to disable Microsoft Defender Antivirus. Furthermore, it targets Windows Defender Application Control (WDAC) by writing a malicious policy that explicitly blocks Chinese security vendors Qihoo 360 Total Security and Huorong Security.
The ultimate objective of RONINGLOADER is to inject a rogue DLL into “regsvr32.exe,” a legitimate Windows binary, thereby concealing its activities and launching a next-stage payload into another high-privilege system process such as “TrustedInstaller.exe” or “elevation_service.exe.” The final malware deployed is a modified version of Gh0st RAT, designed to communicate with a remote server to fetch further instructions. This allows it to configure Windows Registry keys, clear Windows Event logs, download and execute files from specified URLs, alter clipboard data, run commands via “cmd.exe,” inject shellcode into “svchost.exe,” and execute payloads dropped to disk. Additionally, this variant incorporates a module that captures keystrokes, clipboard contents, and foreground window titles.
Brand Impersonation Campaigns Target Chinese Speakers with Gh0st RAT
The recent disclosure coincides with findings from Palo Alto Networks Unit 42, which identified two interconnected malware campaigns that employed large-scale brand impersonation to deliver Gh0st RAT to Chinese-speaking users. Notably, these activities have not been attributed to any known threat actor or group.
The first campaign, dubbed Campaign Trio, occurred between February and March 2025, mimicking applications such as i4tools, Youdao, and DeepSeek across over 2,000 domains. The second campaign, detected in May 2025, exhibited a higher level of sophistication, impersonating more than 40 applications, including QQ Music and the Sogou browser, and has been labeled Campaign Chorus.
Researchers Keerthiraj Nagaraj, Vishwa Thothathri, Nabeel Mohamed, and Reethika Ramesh noted, “From the first campaign to the second, the adversary advanced from simple droppers to complex, multi-stage infection chains that misuse legitimate, signed software to bypass modern defenses.” The domains associated with these campaigns have been found to host ZIP archives containing the trojanized installers, ultimately facilitating the deployment of Gh0st RAT.
The second campaign not only leverages a broader array of software programs as lures to reach a wider demographic of Chinese speakers but also employs an intricate and elusive infection chain utilizing intermediary redirection domains to retrieve ZIP archives from public cloud service buckets. This method effectively circumvents network filters capable of blocking traffic from unknown domains, showcasing the threat actor’s operational resilience.
In this scenario, the MSI installer also executes an embedded Visual Basic Script responsible for decrypting and launching the final payload through DLL side-loading. The parallel operation of both old and new infrastructures suggests an evolving operation that encompasses multiple infrastructures and distinct tool sets simultaneously. This could indicate A/B testing of tactics, techniques, and procedures (TTPs), targeting different victim sets with varying levels of complexity, or simply a cost-effective strategy of continuing to leverage older assets as long as they remain effective.
