The Dragon Breath threat actor employs a multi-stage infection chain leveraging a loader named RONINGLOADER to deliver a customized variant of Gh0st RAT, a well-known remote access trojan. The campaign targets Chinese-speaking users by distributing trojanized NSIS installers that impersonate legitimate applications such as Google Chrome and Microsoft Teams. The infection chain involves multiple embedded NSIS installers, one benign and one malicious, which deploy DLLs and encrypted payloads disguised as PNG images. RONINGLOADER uses advanced evasion techniques including loading a fresh ntdll.dll to remove userland hooks, elevating privileges via runas, and scanning for popular Chinese antivirus processes like Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. It terminates these security processes using signed drivers loaded as temporary services, employing different methods for Qihoo 360 products involving network blocking and shellcode injection into the Volume Shadow Copy service process. The loader also abuses Windows security features such as Protected Process Light (PPL) and Windows Error Reporting to disable Microsoft Defender Antivirus and writes malicious WDAC policies to block Chinese security vendors. After neutralizing defenses, RONINGLOADER injects rogue DLLs into legitimate Windows binaries like regsvr32.exe and TrustedInstaller.exe to conceal its activity and launch Gh0st RAT. The RAT communicates with remote servers to execute commands, manipulate registry keys, clear event logs, download and execute files, inject shellcode into svchost.exe, and capture keystrokes and clipboard data. This campaign reflects a high level of operational sophistication, including the use of signed drivers, privilege escalation, and multi-stage payload delivery to evade detection and maintain persistence. The threat actor Dragon Breath (also known as APT-Q-27 or Golden Eye) has been active since at least 2020 and is linked to attacks on online gaming and gambling sectors in East Asia. The campaign’s focus on Chinese-speaking users and use of Chinese security product evasion techniques indicate a regional targeting preference, but the underlying Windows exploitation techniques and RAT capabilities pose broader risks.

For European organizations, the Dragon Breath campaign presents a significant risk particularly to entities with business or user bases linked to Chinese-speaking regions, such as multinational corporations, gaming companies, or firms with Chinese employees or partners. The malware’s ability to disable security tools, escalate privileges, and inject code into trusted Windows processes can lead to full system compromise, data exfiltration, espionage, and long-term persistence. The use of trojanized installers mimicking popular software increases the likelihood of successful infection through social engineering or supply chain compromise. The RAT’s capabilities to manipulate registry settings, clear logs, and capture sensitive input data threaten confidentiality and integrity of critical information. Additionally, the campaign’s evasion of endpoint detection and response (EDR) solutions complicates incident detection and response efforts. Although primarily targeting Chinese-speaking users, European organizations using similar security products or with Chinese language settings may be vulnerable. The campaign could also serve as a blueprint for attackers to adapt these techniques against European security products or targets, increasing the overall threat landscape.

European organizations should implement targeted defenses beyond generic best practices. First, enforce strict application whitelisting and Windows Defender Application Control (WDAC) policies tailored to block unauthorized drivers and unsigned code, especially focusing on preventing malicious policy injections like those used by RONINGLOADER. Deploy advanced endpoint detection solutions capable of monitoring for suspicious process injections, privilege escalations, and abnormal use of legitimate Windows binaries such as regsvr32.exe and TrustedInstaller.exe. Monitor for unusual network activity, particularly connections to known malicious command and control servers associated with Gh0st RAT. Conduct user awareness training emphasizing risks of downloading software from untrusted sources and recognizing trojanized installers. Implement robust process and service monitoring to detect termination or manipulation of security tools, especially those popular in Chinese markets, as this may indicate compromise attempts. Restrict use of administrative privileges and audit use of runas commands and driver installations. Employ network segmentation to limit lateral movement if compromise occurs. Finally, maintain up-to-date threat intelligence feeds to detect emerging infrastructure related to Dragon Breath campaigns and proactively block associated domains and IPs.