Dragon Breath Deploys RONINGLOADER to Disable Security Tools and Install Modified Gh0st RAT

Dragon Breath, also known as APT-Q-27 or Golden Eye, has launched a new malware campaign using a tool called RONINGLOADER. This tool is designed to disable security protections on Windows systems. After weakening the system, it installs a modified form of the Gh0st RAT trojan. Researchers say the campaign shows strong technical planning and skill.

The attack starts with fake installers that look like real apps such as Chrome or Teams. These installers are built using the NSIS system, making them appear legitimate. When victims run them, everything seems normal at first. This helps the attackers avoid raising suspicion.

Inside the installer, two setup files are included. One is harmless and installs the real application the user expects. The second installer launches the malicious chain quietly in the background. This trick lets the attackers hide the infection process.

Once activated, RONINGLOADER begins disabling security tools. It loads a signed kernel driver that Windows trusts, allowing it to kill or bypass security processes. This makes the malware harder to detect or block. The attackers use this step to gain stronger control of the system.

RONINGLOADER also abuses Protected Process Light to tamper with Microsoft Defender. It can apply custom Defender policies to block certain security apps. These policies especially target Chinese security tools. Together, these techniques give the attackers deep and stealthy access.

After weakening the system defenses, the malware installs a modified version of Gh0st RAT. This trojan lets attackers control the computer remotely. They can steal data, record keystrokes, take screenshots and run commands. It is an updated variant made specifically for this campaign.

The attackers mainly target Chinese-speaking users. They created many fake websites and registered thousands of domains. These sites impersonate popular apps and services to trick victims. The scale of impersonation shows that the campaign is well-funded and long-term.

RONINGLOADER is especially dangerous because it includes multiple fallback methods. If one evasion step fails, another takes over automatically. Experts warn users to download software only from official sources and keep systems updated. If infection is suspected, the device should be isolated and checked immediately.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news