NSIS

Researchers say the Dragon Breath group used a multi-stage loader called RONINGLOADER to deliver a modified Gh0st RAT to Chinese-speaking users, employing signed drivers, WDAC policy changes, PPL abuse and multi-stage NSIS installers to evade security products and deploy remote access capabilities.