The threat actor known as Dragon Breath has been observed making use of a multi-stage loader codenamed RONINGLOADER to deliver a modified variant of a remote access trojan called Gh0st RAT.
The campaign, which is primarily aimed at Chinese-speaking users, employs trojanized NSIS installers masquerading as legitimate like Google Chrome and Microsoft Teams, according to Elastic Security Labs.
“The infection chain employs a multi-stage delivery mechanism that leverages various evasion techniques, with many redundancies aimed at neutralising endpoint security products popular in the Chinese market,” security researchers Jia Yu Chan and Salim Bitam said. “These include bringing a legitimately signed driver, deploying custom WDAC policies, and tampering with the Microsoft Defender binary through PPL [Protected Process Light] abuse.”
Dragon Breath, also known as APT-Q-27 and Golden Eye, was previously highlighted by Sophos in May 2023 in connection with a campaign that leveraged a technique called double-dip DLL side-loading in attacks targeting users in the Philippines, Japan, Taiwan, Singapore, Hong Kong, and China.
The hacking group, assessed to be active since at least 2020, is linked to a larger Chinese-speaking entity tracked as Miuuti Group that’s known for attacking the online gaming and gambling industries.
In the latest campaign documented by Elastic Security Labs, the malicious NSIS installers for trusted applications act as a launchpad for two more embedded NSIS installers, one of which (“letsvpnlatest.exe”) is benign and installs the legitimate software. The second NSIS binary (“Snieoatwtregoable.exe”) is responsible for stealthily triggering the attack chain.
This involves delivering a DLL and an encrypted file (“tp.png”), with the former used to read the contents of the supposed PNG image and extract shellcode designed to launch another binary in memory.
RONINGLOADER, besides attempting to remove any userland hooks by loading a fresh new “ntdll.dll,” tries to elevate its privileges by using the runas command and scans a list of running processes for hard-coded antivirus-related solutions, such as Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security.
The malware then proceeds to terminate those identified processes. In the event the identified process is associated with Qihoo 360 Total Security (e.g., “360tray.exe,” “360Safe.exe,” or “ZhuDongFangYu.exe”), it takes a different approach. This step involves the following sequence of actions –
- Block all network communication by changing the firewall
- Inject shellcode into the process (vssvc.exe) associated with the Volume Shadow Copy (VSS) service, but not before granting itself the SeDebugPrivilege token
- Start the VSS service and get its process ID
- Inject shellcode into the VSS service process using the technique called PoolParty
- Load and make use of a signed driver named “ollama.sys” to terminate the three processes by means of a temporary service called “xererre1”
- Restore the firewall settings
For other security processes, the loader directly writes the driver to disk and creates a temporary service called “ollama” to load the driver, perform process termination, and stop and delete the service.
 |
| RONINGLOADER Execution flow |
Once all security processes have been killed on the infected host, RONINGLOADER runs batch scripts to bypass User Account Control (UAC) and create firewall rules to block inbound and outbound connections associated with Qihoo 360 security software.
The malware has also been observed using two techniques documented earlier this year by security researcher Zero Salarium that abuse PPL and the Windows Error Reporting (“WerFaultSecure.exe”) system (aka EDR-Freeze) to disable Microsoft Defender Antivirus. Furthermore, it targets Windows Defender Application Control (WDAC) by writing a malicious policy that explicitly blocks Chinese security vendors Qihoo 360 Total Security and Huorong Security.
The end goal of the loader is to inject a rogue DLL into “regsvr32.exe,” a legitimate Windows binary, to conceal its activity and launch a next-stage payload into another legitimate, high-privilege system process like “TrustedInstaller.exe” or “elevation_service.exe.” The final malware deployed is a modified version of Gh0st RAT.
The Trojan is designed to communicate with a remote server to fetch additional instructions that allow it to configure Windows Registry keys, clear Windows Event logs, download and execute files from provided URLs, alter clipboard data, run commands via “cmd.exe,” inject shellcode into “svchost.exe,” and execute payloads dropped to disk. The variant also implements a module that captures keystrokes, clipboard contents, and foreground window titles.
Brand Impersonation Campaigns Target Chinese Speakers with Gh0st RAT
The disclosure comes as Palo Alto Networks Unit 42 said it identified two interconnected malware campaigns that have employed “large-scale brand impersonation” to deliver Gh0st RAT to Chinese-speaking users. The activity has not been attributed to any known threat actor or group.
While the first campaign – named Campaign Trio – took place between February and March 2025 by mimicking i4tools, Youdao, and DeepSeek across over 2,000 domains, the second campaign, detected in May 2025, is said to have been more sophisticated, impersonating more than 40 applications, including QQ Music and Sogou browser. The second wave has been codenamed Campaign Chorus.
“From the first campaign to the second, the adversary advanced from simple droppers to complex, multi-stage infection chains that misuse legitimate, signed software to bypass modern defenses,” security researchers Keerthiraj Nagaraj, Vishwa Thothathri, Nabeel Mohamed, and Reethika Ramesh said.
The domains have been found to host ZIP archives containing the trojanized installers, ultimately paving the way for the deployment of Gh0st RAT. The second campaign, however, not only leverages more software programs as lures to reach a wider demographic of Chinese speakers, but also employs an “intricate and elusive” infection chain using intermediary redirection domains to fetch the ZIP archives from public cloud service buckets.
 |
| Campaign Chorus Attack Chain |
In doing so, the approach can bypass network filters that are capable of blocking traffic from unknown domains, not to mention the threat actor’s operational resilience. The MSI installer, in this case, also runs an embedded Visual Basic Script that’s responsible for decrypting and launching the final payload by means of DLL side-loading.
“The parallel operation of both old and new infrastructure through sustained activity suggests an operation that is not merely evolving but consists of multiple infrastructures and distinct tool sets simultaneously,” the researchers said. “This could indicate A/B testing of TTPs, targeting different victim sets with different levels of complexity, or simply a cost-effective strategy of continuing to leverage older assets as long as they remain effective.”
