Key Findings The Dragon Breath APT group (APT-Q-27) has deployed a new multi-stage malware loader called RoningLoader to target Chinese-speaking users. The campaign uses trojanized installers masquerading as trusted applications like Google Chrome and Microsoft Teams. RoningLoader exhibits sophisticated evasion and defense bypass techniques, including: Abuse of Protected Process Light (PPL) to disable Windows Defender Leveraging a legitimate, signed kernel driver to terminate
