Elastic Security Labs has uncovered RONINGLOADER, a sophisticated loader used by the Dragon Breath APT that leverages trojanized NSIS installers, a legitimately signed kernel driver (ollama.sys) and Protected Process Light (PPL) abuse to systematically disable Microsoft Defender and multiple Chinese AV/EDR products. The multi-stage campaign uses custom WDAC policies, phantom DLL side‑loading, thread pool injection, firewall manipulation and kernel IOCTLs to kill security processes, then deploys a modified gh0st RAT with encrypted C2, keystroke logging, clipboard and cryptocurrency wallet monitoring (explicitly tracking MetaMask and Telegram); researchers also found 71 other binaries signed with the same certificate, indicating possible certificate compromise or misuse. Detected via new behavioral rules from Elastic, the operation marks a clear escalation in APT capabilities and raises heightened operational and cyber‑risk for organizations with China exposure or crypto-related activities, underscoring the need to reassess endpoint defenses and certificate management.
Elastic Security Labs disclosed RONINGLOADER, a sophisticated multi-stage loader used by the Dragon Breath APT (APT-Q-27) that weaponizes trojanized NSIS installers and a legitimately signed kernel driver (ollama.sys, certificate valid through February 2026) to systematically disable Microsoft Defender and multiple Chinese AV/EDR products. Elastic linked the campaign to trojanized installers that drop encrypted shellcode and a malicious DLL, with reconnaissance and kernel-mode IOCTLs to kill processes for Microsoft Defender, Kingsoft, Tencent PC Manager, Qihoo 360 and Huorong Security. The attack chain abuses Protected Process Light (PPL), custom WDAC policies, phantom DLL side-loading, thread pool injection, firewall manipulation and a ClipUp.exe technique that overwrites MsMpEng.exe to persistently neutralize Defender; researchers found 71 additional binaries signed with the same certificate, implying certificate compromise or misuse. Final stages deploy a modified gh0st RAT with encrypted TCP C2, keystroke logging, clipboard and explicit MetaMask and Telegram monitoring, elevating risk for China-exposed firms and crypto-related targets. Detection arose after Elastic’s August 2025 PPL research; Elastic developed behavioral rules and identified active exploitation via telemetry, increasing visibility for Elastic (ESTC) while producing negative sentiment pressure on affected vendors (MSFT sentiment -0.6). The technical depth and targeted evasion raise operational risk for enterprises in China and crypto sectors and imply a moderate market impact (market_impact_score 0.45) until mitigations and certificate revocation occur.
AI-powered research, real-time alerts, and portfolio analytics for institutional investors.
Request a DemoOverall Sentiment
strongly negative
Sentiment Score
-0.65
Ticker Sentiment
