RONINGLOADER is a multi-stage loader malware deployed by the DragonBreath advanced persistent threat (APT) group, designed to deliver an updated gh0st RAT variant. The infection chain starts with trojanized Nullsoft Scriptable Install System (NSIS) installers that masquerade as legitimate software, tricking users into executing the initial payload. RONINGLOADER employs a series of sophisticated evasion techniques to bypass endpoint detection and response (EDR) tools, particularly those used in China. Key evasion methods include abuse of signed kernel-mode drivers to gain elevated privileges, thread-pool injection to stealthily execute code within legitimate processes, and exploitation of Protected Process Light (PPL) to disable Microsoft Defender components. The loader terminates antivirus processes and applies custom Windows Defender Application Control (WDAC) policies to further weaken endpoint defenses. The final payload is injected into trusted system processes, making detection and removal challenging. This campaign reflects an evolution in DragonBreath’s tactics, emphasizing stealth, persistence, and adaptability. Although primarily targeting Chinese EDR solutions, the techniques used could be effective against other Windows environments globally. The malware’s use of driver abuse and PPL exploitation highlights the increasing sophistication of APT groups in circumventing modern security controls. No known public exploits or patches are currently available, and the campaign is ongoing as of late 2025.

For European organizations, the RONINGLOADER threat poses significant risks primarily to confidentiality and integrity due to the deployment of the gh0st RAT, which enables remote access, data exfiltration, and potential lateral movement within networks. The malware’s ability to disable Microsoft Defender and evade detection can lead to prolonged undetected presence, increasing the risk of espionage, intellectual property theft, and disruption of critical services. Sectors such as government, defense, critical infrastructure, and technology firms are particularly vulnerable due to their strategic value and frequent targeting by APT groups. The use of trojanized installers as the initial infection vector means that social engineering or supply chain compromise could facilitate infection. The stealthy injection into trusted processes complicates incident response and forensic analysis. While the campaign currently targets Chinese EDR tools, the underlying techniques could be adapted to evade European security solutions, especially those relying on Microsoft Defender. The medium severity rating reflects the complexity and potential impact balanced against the current lack of widespread exploitation in Europe.

European organizations should implement advanced monitoring for abnormal driver installations and behavior, including auditing signed driver usage to detect potential abuse. Deploying enhanced WDAC policy monitoring and alerting can help identify unauthorized policy changes indicative of malware activity. Endpoint detection solutions should be tuned to detect thread-pool injection and unusual process injection behaviors, especially into trusted system processes. Restricting the installation of unsigned or unapproved drivers through group policies and application whitelisting reduces the attack surface. User education to avoid installing software from untrusted sources, particularly trojanized NSIS installers, is critical. Incident response teams should develop playbooks for handling PPL exploitation and driver abuse scenarios. Regular threat hunting focusing on indicators of compromise related to RONINGLOADER’s tactics and techniques (e.g., process termination patterns, WDAC modifications) will improve early detection. Collaboration with threat intelligence providers to stay updated on DragonBreath activity and related malware variants is recommended. Finally, network segmentation and least privilege principles limit lateral movement if initial compromise occurs.