Dragon Breath Breaches the Data Fortress

The latest campaign attributed to Dragon Breath (APT-Q-27 / Golden Eye) shows an actor capable of infiltrating systems through trojanized installers, neutralizing defenses with the multi-stage RONINGLOADER, and deploying a modified Gh0st RAT deep inside privileged processes. In parallel, large-scale brand impersonation campaigns distribute the same malware through complex infection chains, revealing an ecosystem that strikes not by breaking a single gate, but by surrounding the fortress from multiple sides.

Phase 1: Deception and Delivery

The intrusion begins with trojanized NSIS installers disguised as Chrome, Teams, and other trusted applications. Each installer contains a benign component that installs legitimate software and a hidden malicious NSIS payload that extracts a DLL and an encrypted “tp.png” file. The DLL reads and decrypts the fake PNG to launch shellcode directly in memory, activating RONINGLOADER and enabling the adversary to enter silently through a supply-chain look-alike vector without triggering user suspicion.

Phase 2: Stealth, Privilege, and Neutralization

Once running, RONINGLOADER removes hooks by loading a clean copy of ntdll.dll, attempts privilege escalation using runas, and scans for Chinese-market antivirus tools such as Microsoft Defender, Kingsoft, Tencent PC Manager, and Qihoo 360.

Depending on the product detected, the loader executes specialized kill routines: firewall blocking, shellcode injection into the VSS process via PoolParty, driver-based termination using a signed kernel driver (“ollama.sys”), and malicious WDAC policies that block Qihoo and Huorong. It also abuses PPL and the WerFaultSecure.exe mechanism (EDR-Freeze) to disable Defender. By the end of this phase, endpoint security has been fully neutralized and the fortress stands defenseless.

Phase 3: Payload Deployment and Command

With all safeguards disabled, the loader injects a rogue DLL into regsvr32.exe and deploys a customized Gh0st RAT inside processes like TrustedInstaller.exe and elevation_service.exe. The RAT enables remote control, registry manipulation, event log wiping, file downloads, clipboard tampering, shellcode injection into svchost.exe, and keylogging capabilities.

Meanwhile, two separate infrastructure waves—Campaign Trio and Campaign Chorus—deliver Gh0st RAT to Chinese-speaking users through large-scale brand impersonation, ZIP-based droppers, and intermediary redirection domains that evade network filtering. This dual-track activity suggests simultaneous testing of TTPs and a highly resilient operation.

Measures to Fend Off the Dragon

Organizations can harden their defenses by adopting several architectural and operational safeguards:

• Enforce strict application control (WDAC/AppLocker) to prevent unverified installers and DLL side-loading.

• Block or restrict kernel driver loading; allow only vendor-approved and cryptographically validated drivers.

• Implement memory integrity protections and behavioral EDR capable of detecting anti-hooking, PPL abuse, and in-memory loaders.

• Validate installers via cryptographic signatures and distribution integrity rather than brand logos or filenames.

• Monitor for anomalous regsvr32.exe, TrustedInstaller.exe, or VSS activity, which are common staging points in this campaign.

• Harden firewall policies and enforce least-privilege service accounts to limit the blast radius of driver-assisted process killing.

• Enhance phishing and brand-impersonation detection, particularly in Chinese-speaking user segments targeted by Campaign Trio and Chorus.

• Continuously review WDAC policies to detect malicious additions that suppress local security vendors.

• Isolate high-value endpoints and enforce privileged access workstations to prevent RAT deployment into system processes.

Dragon Breath’s strength lies in systematically dismantling defenses before deploying its final payload. From abusing kernel drivers and PPL mechanisms to crafting WDAC-bypass policies and hijacking trusted Windows binaries, the operation shows a threat actor focused on persistence, stealth, and privilege consolidation. The broader ecosystem of parallel campaigns distributing Gh0st RAT further indicates a mature, multi-infrastructure offensive model. Any organization relying solely on traditional endpoint or perimeter controls becomes an easy target for an adversary designed to erase those very tools.

The Hacker News

https://thehackernews.com/2025/11/dragon-breath-uses-roningloader-to.html?m=1