Image Main

The threat group known as Dragon Breath, also tracked as APT-Q-27 and Golden Eye, has been detected using a multi-stage loader called RONINGLOADER to deliver a modified variant of the Gh0st RAT remote access Trojan. This campaign primarily targets Chinese-speaking users and uses Trojanized NSIS installers that impersonate legitimate software such as Google Chrome and Microsoft Teams.

According to researchers at Elastic Security Labs, the infection chain employs a multi-stage delivery mechanism that incorporates advanced evasion techniques. These techniques are specifically designed to neutralize popular endpoint security products in the Chinese market.

RONINGLOADER: A High Evasion Multiphase Loader

The infection chain starts with malicious NSIS installers for trusted applications. These act as a starting point for two embedded NSIS installers: a benign one (letsvpnlatest.exe) that installs the legitimate software, and a malicious one (Snieoatwtregoable.exe) that triggers the actual attack chain.

The attack is distinguished by its sophisticated defense evasion tactics:

  • Process Manipulation and Hook Evasion: RONINGLOADER attempts to remove any hooks in userspace by loading a new instance of ntdll.dll.
  • Privilege Escalation and AV Scanning: Uses the runas command to escalate privileges and scans an encrypted list of popular antivirus solutions in China, including Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager and Qihoo 360 Total Security.

Specific Attack Against Qihoo 360 Total Security

If Qihoo 360 Total Security is detected, RONINGLOADER executes a sequence of particularly complex actions to evade and disable the security software:

  1. Block all network communications by modifying the firewall.
  2. Obtains the SeDebugPrivilege token to inject shellcode into the vssvc.exe process, associated with the Volume Shadow Copy (VSS) service.
  3. Use a technique known as PoolParty to inject shellcode into the VSS service process.
  4. Load and use a signed driver named ollama.sys using a temporary service (xererre1) to terminate the processes associated with Qihoo 360.
  5. Restore firewall settings.

For other backup processes, the loader uses a similar approach, loading ollama.sys through a temporary service called ollama for process termination.

Additional Bypasses and Disabling Advanced Defenses

Once security processes are removed, RONINGLOADER performs additional actions to ensure their persistence and avoid detection:

  • UAC Bypass and Firewall Rules: Run batch scripts to bypass User Account Control (UAC) and create firewall rules to block incoming and outgoing Qihoo 360 connections.
  • Microsoft Defender Evasion: Two techniques previously documented by researcher Zero Salarium have been observed that abuse PPL (Protected Process Light) and Windows System Error Reporting (WerFaultSecure.exe), also known as EDR-Freeze, to disable Microsoft Defender Antivirus.
  • WDAC Manipulation: Targets Windows Defender Application Control (WDAC) by writing a malicious policy that explicitly blocks Chinese security vendors such as Qihoo 360 Total Security and Huorong Security.

Deployment of Gh0st RAT and Brand Impersonation Campaigns

The ultimate goal of RONINGLOADER is to inject a malicious DLL into regsvr32.exe, a legitimate Windows binary, to hide its activity. It then launches the Gh0st RAT payload in a legitimate high-privilege system process, such as TrustedInstaller.exe or elevation_service.exe.

The Gh0st RAT Trojan allows attackers to:

  • Configure Windows Registry keys.
  • Clean Windows event logs.
  • Download and run files from remote URLs.
  • Alter clipboard data.
  • Run commands via cmd.exe.
  • Capture keystrokes, clipboard contents, and active window titles.

Massive Brand Impersonation Campaigns (Palo Alto Networks Unit 42)

Parallel to the Dragon Breath campaign, Palo Alto Networks Unit 42 identified two interconnected campaigns that use large-scale spoofing to deliver Gh0st RAT to Chinese-speaking users. Although they have not been attributed to a known threat actor, they share similarities in target and final malware.

  • Trio Campaign (February-March 2025): Impersonated brands such as i4tools, Youdao and DeepSeek, using more than 2,000 domains and simpler droppers.
  • Chorus Campaign (May 2025): More sophisticated, it impersonated more than 40 applications, including QQ Music and Sogou browser. It used complex infection chains and intermediary redirection domains to evade network filters and deliver ZIP files from public cloud services.

Conclusion

Both campaigns demonstrate a trend towards increasingly sophisticated attacks adapted to local defenses. The overlap in Gh0st RAT usage and targeting Chinese users suggests a complex threat landscape, where threat actors (such as Dragon Breath) are continually testing tactics and techniques (TTPs) to maximize the effectiveness and resilience of their operations, leveraging both old and new infrastructure.

References

  • Malware: Gh0st RAT, RONINGLOADER, ollama.sys
  • Evasion Techniques: PoolParty, EDR-Freeze (abuse of PPL and WerFaultSecure.exe), Double-dip DLL side-loading.
  • Threat Groups: Dragon Breath (APT-Q-27, Golden Eye), Miuuti Group.
  • Specific Defenses Bypassed: Qihoo 360 Total Security, Huorong Security, Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager.
  • Researchers/Companies: Elastic Security Labs, Palo Alto Networks Unit 42.