Image Main

The cyber threat landscape targeting Chinese-speaking users has intensified with the detection of multiple malware campaigns. Two recent reports highlight the sophistication of threat actors using the Gh0st RAT remote access trojan, a malware known for its versatility.

One of the campaigns involves the threat actor known as Dragon Breath (also APT-Q-27 or Golden Eye), which uses a multi-phase loader called RONINGLOADER to deliver a modified variant of Gh0st RAT. Simultaneously, another series of large-scale phishing campaigns have been distributing the same malware.

RONINGLOADER: Dragon Breath Complex Evasion

The Dragon Breath actor, active since at least 2020 and linked to the Miuuti group, focuses mainly on the online gaming and betting industry. In its most recent campaign, it uses trojanized NSIS installers that impersonate legitimate software such as Google Chrome and Microsoft Teams.

RONINGLOADER’s infection chain is characterized by its multi-phase approach and advanced evasion techniques, designed to neutralize popular security products on the Chinese market:

  • Dual NSIS Installers: The initial malicious installer contains two embedded NSIS installers: one benign to install the legitimate software and another responsible for the stealthy attack chain.
  • Attack on Endpoint Defenses: RONINGLOADER is programmed to scan and terminate processes associated with security solutions such as Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager and Qihoo 360 Total Security.
  • Abuse of PPL (Protected Process Light): The most notable technique is the abuse of PPL and Windows System Error Reporting (WerFaultSecure.exe) to disable Microsoft Defender Antivirus. It also implements malicious WDAC (Windows Defender Application Control) policies that explicitly block Chinese security vendors.

Attack Sequence against Qihoo 360 Total Security

For Qihoo 360 security products, the evasion process is particularly elaborate:

  1. Network Blocking: Modify the firewall to block all network communications.
  2. VSS Abuse (Volume Shadow Copy): Obtains the SeDebugPrivilege token and injects shellcode into the vssvc.exe process (VSS service) using the PoolParty technique.
  3. Process Termination with Signed Driver: Loads and uses a legitimate signed driver called ollama.sys (using a temporary service xererre1) to terminate Qihoo 360 processes.
  4. Firewall Restore: Restore the firewall settings to continue the attack.

For other security processes, the loader uses a similar method with a temporary service called ollama to load the ollama.sys driver and terminate the processes.

Final Payload: Gh0st RAT Modified

Once security defenses are disabled, RONINGLOADER injects a malicious DLL into regsvr32.exe to hide its activity and launches Gh0st RAT into a high-privilege system process (such as TrustedInstaller.exe or elevation_service.exe).

The Gh0st RAT variant deployed includes:

  • Windows registry key settings.
  • Cleaning Windows event logs.
  • Download and run files.
  • Clipboard data alteration.
  • Command execution via cmd.exe.
  • Shellcode injection into svchost.exe.
  • Module for capturing keystrokes, clipboard contents and active window titles.

Digital Identity Theft Campaigns

Palo Alto Networks Unit 42 identified two interconnected campaigns that also distribute Gh0st RAT to Chinese-speaking users, although they are not attributed to Dragon Breath.

  • Trio Campaign (February-March 2025): Used more than 2,000 domains to imitate software such as i4tools, Youdao and DeepSeek.
  • Chorus Campaign (May 2025): More sophisticated, imitating more than 40 applications, including QQ Music and the Sogou browser.

Both campaigns evolved from simple “droppers” to complex multi-phase infection chains that abuse legitimate signed software to bypass modern defenses.

Chorus Campaign Evasion Mechanisms

The Chorus Campaign employs advanced network evasion techniques:

  • Redirection Domains: Uses intermediary redirection domains to obtain malicious ZIP files from public cloud service buckets. This technique allows you to bypass network filters that block traffic from unknown domains.
  • MSI Installers and DLL Sideloading: MSI installers run an embedded Visual Basic script that decrypts and launches the final payload using the DLL sideloading technique.

The researchers point out that the parallel operation of old and new infrastructures suggests a strategy of A/B testing or the targeting of different sets of victims with varying levels of complexity.

Conclusions

Recent campaigns demonstrate an increase in sophistication of threat actors targeting Chinese-speaking users. The combination of highly customized endpoint evasion techniques (such as those implemented by RONINGLOADER) and large-scale digital phishing campaigns highlights the persistence of cybercriminals in bypassing modern security solutions and deploying Gh0st RAT for remote espionage and control of infected systems.

References

  • Palo Alto Networks Unit 42: Identified phishing campaigns.
  • Elastic Security Labs: Documented RONINGLOADER’s analysis of Dragon Breath.
  • Zero Salarium: Researcher who documented PPL abuse techniques.
  • Sophos: Previously reported Dragon Breath activities in 2023.