Cybersecurity

Dragon Breath Uses Roningloader To Disable Security Tools And...

2025-11-17 0 views admin
Dragon Breath Uses Roningloader To Disable Security Tools And...

The threat actor known as Dragon Breath has been observed making use of a multi-stage loader codenamed RONINGLOADER to deliver a modified variant of a remote access trojan called Gh0st RAT.

The campaign, which is primarily aimed at Chinese-speaking users, employs trojanized NSIS installers masquerading as legitimate like Google Chrome and Microsoft Teams, according to Elastic Security Labs.

"The infection chain employs a multi-stage delivery mechanism that leverages various evasion techniques, with many redundancies aimed at neutralising endpoint security products popular in the Chinese market," security researchers Jia Yu Chan and Salim Bitam said. "These include bringing a legitimately signed driver, deploying custom WDAC policies, and tampering with the Microsoft Defender binary through PPL [Protected Process Light] abuse."

Dragon Breath, also known as APT-Q-27 and Golden Eye, was previously highlighted by Sophos in May 2023 in connection with a campaign that leveraged a technique called double-dip DLL side-loading in attacks targeting users in the Philippines, Japan, Taiwan, Singapore, Hong Kong, and China.

The hacking group, assessed to be active since at least 2020, is linked to a larger Chinese-speaking entity tracked as Miuuti Group that's known for attacking the online gaming and gambling industries.

In the latest campaign documented by Elastic Security Labs, the malicious NSIS installers for trusted applications act as a launchpad for two more embedded NSIS installers, one of which ("letsvpnlatest.exe") is benign and installs the legitimate software. The second NSIS binary ("Snieoatwtregoable.exe") is responsible for stealthily triggering the attack chain.

This involves delivering a DLL and an encrypted file ("tp.png"), with the former used to read the contents of the supposed PNG image and extract shellcode designed to launch another binary in memory.

RONINGLOADER, besides attempting to remove any userland hooks by loading a fresh new "ntdll.dll," tries to elevate its privileges by using the runas command and scans a list of running processes for hard-coded antivirus-related solutions, such as Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security.

The malware then proceeds to terminate those identified processes. In the event the identified process is associated with Qihoo 360 Total Security (e.g., "360tray.exe," "360Safe.exe," or "ZhuDongFangYu.exe"), it takes a different approach. Th

Source: The Hacker News

🏷️ Tags

securityhackmalwareattackthreat

More from Cybersecurity

Openai Is Offering $20 Chatgpt Plus For Free To Some Users 2026

Openai Is Offering $20 Chatgpt Plus For Free To Some Users 2026

2026-01-01 0
Security Biggest Cybersecurity And Cyberattack Stories Of 2025

Security Biggest Cybersecurity And Cyberattack Stories Of 2025

2026-01-01 0
New Biggest Cybersecurity And Cyberattack Stories Of 2025 2026

New Biggest Cybersecurity And Cyberattack Stories Of 2025 2026

2026-01-01 0
New Glassworm Malware Wave Targets Macs With Trojanized Crypto Wallets

New Glassworm Malware Wave Targets Macs With Trojanized Crypto Wallets

2026-01-01 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views