An attacker known as Dragon Breath has been observed leveraging a multi-stage loader known by the codename RONINGLOADER to deliver a modified variant of the remote access Trojan known as Gh0st RAT.
According to Elastic Security Labs, the campaign primarily targets Chinese-speaking users and uses trojanized NSIS installers disguised as legitimate versions such as Google Chrome and Microsoft Teams.
Security researchers Jia Yu Chan and Salim Bitam said: “The infection chain employs a multi-stage delivery mechanism that leverages various evasion techniques and includes many redundancies aimed at neutralizing popular endpoint security products in the Chinese market.” “These include deploying legitimately signed drivers, deploying custom WDAC policies, and tampering with Microsoft Defender binaries via PPL.” [Protected Process Light] abuse. “
Dragon Breath, also known as APT-Q-27 and Golden Eye, was previously noted by Sophos in May 2023 in connection with a campaign that utilized a technique known as double-dip DLL sideloading in attacks targeting users in the Philippines, Japan, Taiwan, Singapore, Hong Kong, and China.
The hacker group is estimated to have been active since at least 2020 and is associated with a larger Chinese-speaking organization tracked as Miuuti Group, known for attacking the online gaming and gambling industry.
In the latest campaign documented by Elastic Security Labs, a malicious NSIS installer for a trusted application acts as a launch pad for two additional built-in NSIS installers, one of which (‘letsvpnlatest.exe’) installs benign, legitimate software. The second NSIS binary (‘Snieoatwtregoable.exe’) is responsible for secretly triggering the attack chain.
This includes the delivery of DLLs and encrypted files (“tp.png”). The former is used to extract shellcode designed to read the contents of an expected PNG image and launch another binary in memory.
In addition to attempting to remove userland hooks by loading a new ‘ntdll.dll’, RONINGLOADER attempts to elevate privileges using the runas command and scans the list of running processes for hardcoded antivirus-related solutions such as Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security.
The malware then terminates the identified process. A different approach is taken if the identified process is associated with Qihoo 360 Total Security (e.g. ‘360tray.exe’, ‘360Safe.exe’, ‘ZhuDongFangYu.exe’). This step includes the following series of actions:
Modify the firewall to block all network communication Inject shellcode into the process (vssvc.exe) associated with the Volume Shadow Copy (VSS) service. However, it does not do so before granting itself the SeDebugPrivilege token. Start the VSS service and get its process ID. Injects shellcode into the VSS service process using a technique called PoolParty Load. It uses a signed driver named ‘ollama.sys’ to terminate the three processes using a temporary service called Temporary Services. Restore “xererre1” firewall settings
For other security processes, the loader writes drivers directly to disk, loads drivers, performs process termination, and creates a temporary service called “ollama” to stop and remove services.
RONINGLOADER execution flow
Once all security processes on the infected host are killed, RONINGLOADER runs a batch script to bypass User Account Control (UAC) and create firewall rules that block incoming and outgoing connections related to Qihoo 360 security software.
The malware has also been observed using two techniques documented earlier this year by security researcher Zero Salarium to exploit PPL and the Windows Error Reporting (‘WerFaultSecure.exe’) system (also known as EDR-Freeze) to disable Microsoft Defender Antivirus. Additionally, it targets Windows Defender Application Control (WDAC) by creating malicious policies that explicitly block Chinese security vendors Qihoo 360 Total Security and Huorong Security.
The loader’s ultimate goal is to inject a malicious DLL into the legitimate Windows binary “regsvr32.exe” to hide its activity and launch the next stage payload into another legitimate high-privileged system process such as “TrustedInstaller.exe” or “elevation_service.exe.” The final malware introduced is a modified version of the Gh0st RAT.
The Trojan is designed to communicate with a remote server to obtain additional instructions that allow it to configure Windows registry keys, clear Windows event logs, download and execute files from specified URLs, modify clipboard data, execute commands with ‘cmd.exe’, inject shellcode into ‘svchost.exe’, and execute payloads dropped to disk. This variant also implements modules that capture keystrokes, clipboard contents, and foreground window titles.
Brand impersonation campaign targeting Chinese speakers using Gh0st RAT
The disclosure comes after Palo Alto Networks Unit 42 announced it had identified two interconnected malware campaigns that used “extensive brand impersonation” to distribute the Gh0st RAT to Chinese-speaking users. This activity is not attributed to any known attacker or group.
The first campaign, named Campaign Trio, ran from February to March 2025 on more than 2,000 domains imitating i4tools, Youdao, and DeepSeek, while the second campaign, detected in May 2025, is said to be more sophisticated and impersonated more than 40 applications, including QQ Music and Sogou browser. The second wave is codenamed “Campaign Chorus.”
Security researchers Keerthiraj Nagaraj, Vishwa Thothatthri, Nabeel Mohamed, and Reethika Ramesh said, “From the first campaign to the second, attackers evolved from simple droppers to complex multi-step infection chains that exploit signed legitimate software to bypass modern defenses.”
These domains were found to host ZIP archives containing trojanized installers, ultimately paving the way for the deployment of the Gh0st RAT. However, the second campaign not only leverages more software programs as decoys to reach a broader Chinese-speaking population, but also employs a “complex and elusive” infection chain using intermediate redirect domains to retrieve ZIP archives from public cloud service buckets.
campaign chorus attack chain
By doing so, this approach can bypass network filters that can block traffic from unknown domains, not to mention the operational resiliency of threat actors. In this case, the MSI installer also runs an embedded Visual Basic script that is responsible for decrypting and launching the final payload via DLL sideloading.
“The parallel operation of old and new infrastructure through continuous activity suggests an operation that is not just evolving, but consists of multiple infrastructures and different toolsets simultaneously,” the researchers said. “This could point to A/B testing of TTPs with different sets of victims with varying levels of complexity, or simply a cost-effective strategy to continue leveraging older assets for as long as they remain viable.”
Source link
