Security researchers at Elastic Security Labs observed the threat actor known as Dragon Breath deploying a multi-stage loader called RONINGLOADER to deliver a modified variant of the remote access trojan Gh0st RAT, with operations primarily aimed at Chinese-speaking users.
Investigators said the campaign uses trojanized NSIS installers that impersonate trusted applications such as Google Chrome and Microsoft Teams and relies on multiple redundancies and evasion techniques, including a legitimately signed driver, custom Windows Defender Application Control policies and abuse of protected process mechanisms, to neutralise endpoint security products popular in the Chinese market.
The malicious NSIS installers act as a launchpad for two embedded installers: one named letsvpnlatest.exe that installs legitimate software and a second, named Snieoatwtregoable.exe, that triggers the attack chain. That latter binary drops a DLL and an encrypted file called tp.png; the DLL reads the image file to extract shellcode that launches a next-stage binary in memory.
RONINGLOADER attempts to remove userland hooks and to elevate privileges using the runas command. The loader scans for and terminates processes associated with a list of antivirus products including Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager and Qihoo 360 Total Security.
When Qihoo 360 processes are detected, the malware is reported to change firewall settings to block network communication, grant itself debug privileges, inject shellcode into the Volume Shadow Copy service process, start that service and use a PoolParty-style injection to take control, then load a signed driver called ollama.sys via a temporary service named xererre1 to terminate targeted processes and finally restore firewall settings. For other security products the loader is said to write a driver to disk and create a temporary service named ollama to perform process termination.
Researchers also documented RONINGLOADER running batch scripts to bypass User Account Control and create firewall rules targeting Qihoo 360. The malware has been observed using techniques described by researcher Zero Salarium to abuse protected process light and the Windows Error Reporting system. The loader also writes a malicious WDAC policy that blocks Chinese security vendors including Qihoo 360 and Huorong Security.
The final step is reported to be injection of a rogue DLL into the legitimate regsvr32.exe process to conceal activity and then launching a payload into high‑privilege processes such as TrustedInstaller.exe or elevation_service.exe; the payload is a modified Gh0st RAT that can fetch commands, modify registry keys, clear Windows event logs, download and execute files, alter clipboard contents, inject into svchost.exe and capture keystrokes and foreground window titles. Palo Alto Networks Unit 42 separately identified two impersonation campaigns that delivered Gh0st RAT and documented large-scale brand impersonation; that report is available at Unit 42. The campaigns used intermediary redirection domains and DLL side-loading techniques described by MITRE.