Dragon Breath’s Expanding Malware Strategy
Dragon Breath continues to evolve its tactics. Therefore, the group now relies on a multi-stage loader called RONINGLOADER to deliver a modified Gh0st RAT variant. The operation mainly targets Chinese-speaking users. However, it spreads through installers disguised as trusted tools.
Researchers report that the infection chain uses many layers. These layers include redundant methods designed to disable popular security tools. Moreover, the attackers use signed drivers, custom policies, and abuse built-in system protections.
Multi-Stage Installers and Deceptive Packages
The attackers hide their malware inside installers that resemble real applications. For example, one harmless installer runs normally. Another installer silently starts the malicious sequence. This structure helps the group bypass common security checks.
The malicious installer drops a DLL and an encrypted file. The DLL reads the fake PNG file and extracts shellcode. Therefore, the loader launches another binary directly in memory. This approach reduces detection and increases persistence.
RONINGLOADER’s Privilege and Evasion Techniques
RONINGLOADER attempts many evasive actions. It first loads a fresh system library to remove userland hooks. It then tries to elevate privileges through system commands. However, it also checks running processes to locate specific antivirus tools.
When it detects certain security tools, the malware terminates them. For example, if it finds a known Chinese antivirus product, it changes firewall rules, injects shellcode, and restarts system services. It also loads a signed driver to kill protected processes. Afterward, it restores firewall settings to avoid suspicion.
For other tools, it writes the driver to disk and runs a temporary service. This service stops and removes the targeted process. Therefore, the host becomes vulnerable to deeper compromise.
Disabling System Protections and Deploying Gh0st RAT
RONINGLOADER also bypasses UAC and modifies firewall rules. Additionally, it uses recent techniques involving system error reporting to freeze defensive tools. It writes malicious policies that block certain regional security vendors.
The final goal is to inject a rogue DLL into a legitimate Windows component. This step hides activity and launches the final payload. That payload is an enhanced Gh0st RAT variant.
Gh0st RAT can communicate with remote servers to receive commands. It can alter registry keys, clear logs, download files, and run system commands. Moreover, it can capture keystrokes and clipboard data. Therefore, the attacker gains deep system control.
Widespread Brand-Impersonation Campaigns
Recent campaigns also spread Gh0st RAT through large-scale brand impersonation. Attackers mimicked many well-known apps to lure Chinese-speaking users. They created thousands of domains to host trojanized installers. Furthermore, newer campaigns use more complex chains and redirect traffic through cloud storage services.
Researchers note that both older and newer infrastructures operate in parallel. This pattern suggests that the attackers are testing techniques or optimizing costs. It also indicates a large, organized effort behind the campaigns.
How to Prevent Similar Attacks
Users should verify downloads, update systems, and monitor unusual behavior. Organizations should deploy advanced threat detection and apply strict application control. Solutions such as real-time monitoring and managed response services can also reduce risk by identifying abnormal activity early.
Sleep well, we got you covered.
