Key Findings

• The Dragon Breath APT group (APT-Q-27) has deployed a new multi-stage malware loader called RoningLoader to target Chinese-speaking users.

• The campaign uses trojanized installers masquerading as trusted applications like Google Chrome and Microsoft Teams.

• RoningLoader exhibits sophisticated evasion and defense bypass techniques, including:

• Abuse of Protected Process Light (PPL) to disable Windows Defender

• Leveraging a legitimate, signed kernel driver to terminate antivirus processes at the kernel level

• Applying custom unsigned Windows Defender Application Control (WDAC) policies to block Chinese security solutions

• RoningLoader executes a complex process injection workflow, including ThreadPool-based injection, reflective loading, phantom DLL sideloading, and process hollowing.

• The final payload is a modified variant of the Gh0st RAT, which provides the attackers with remote command execution, keylogging, clipboard monitoring, and other espionage capabilities.

• The campaign also includes a clipboard hijacker that can replace cryptocurrency wallet addresses, suggesting the group may be targeting financial theft in addition to espionage.

Background

The Dragon Breath APT group, also known as APT-Q-27 and Golden Eye, has been active since at least 2020 and is linked to a larger Chinese-speaking entity tracked as the Miuuti Group. The group is known for targeting the online gaming and gambling industries.

Sophisticated Evasion and Defense Bypass Techniques

The RoningLoader malware employed in this campaign exhibits a range of advanced evasion and defense bypass techniques. This includes the abuse of Protected Process Light (PPL) to disable Windows Defender, as well as the use of a legitimately signed kernel driver to terminate antivirus processes at the kernel level, bypassing user-mode protections.

Custom WDAC Policies and Targeted Antivirus Blocking

The attackers also apply custom unsigned Windows Defender Application Control (WDAC) policies to explicitly block Chinese security vendors such as Qihoo 360 Total Security and Huorong Security. This represents a strategic focus on evading widely used security tools in the Chinese market.

Complex Process Injection Workflow

RoningLoader executes one of the most sophisticated process-injection workflows seen in DragonBreath operations. This includes techniques such as ThreadPool-based process injection, reflective loading of PE files, phantom DLL sideloading, process hollowing, and remote thread execution.

Modified Gh0st RAT Payload

The final payload deployed by RoningLoader is a lightly updated version of the Gh0st RAT, which continues to serve as the DragonBreath group's primary espionage and control tool. The RAT includes capabilities such as remote command execution, keylogging, clipboard monitoring, and system profiling.

Potential Financial Theft Targeting

A notable addition to the Gh0st RAT variant is a clipboard hijacker that can replace cryptocurrency wallet addresses on the fly. This functionality is remotely configurable, suggesting the group may be targeting financial theft in addition to espionage.

Sources

• https://securityonline.info/dragon-breath-apt-deploys-roningloader-using-kernel-driver-and-ppl-abuse-to-disable-windows-defender/

• https://thehackernews.com/2025/11/dragon-breath-uses-roningloader-to.html