A Chinese-speaking threat actor known as Dragon Breath (aka APT‑Q‑27/Golden Eye), active since at least 2020 and linked to the Miuuti Group, is deploying a multi-stage loader called RONINGLOADER to deliver a modified Gh0st RAT via trojanized NSIS installers impersonating popular apps; Elastic Security Labs says the campaign uses signed drivers (e.g., ollama.sys), WDAC policy tampering, PPL abuse, Defender/EDR freeze techniques and process-killing routines to neutralize major Chinese AVs before injecting payloads. RONINGLOADER escalates privileges, leverages PoolParty VSS injection, creates temporary services to load drivers and alter firewall/UAC settings, and ultimately loads Gh0st RAT which can manipulate registry keys, erase logs, capture keystrokes/clipboard, inject into svchost/TrustedInstaller and execute remote commands. Palo Alto Unit 42 separately identified two large-scale brand-impersonation waves—Campaign Trio (Feb–Mar 2025, ~2,000 domains) and Campaign Chorus (May 2025, >40 app lures)—that use cloud-hosted ZIPs, intermediary redirection and signed software abuse to evade network filters, indicating a sustained, evolving operation with high operational resilience and material implications for Chinese-region enterprises and suppliers of endpoint/security software.
Elastic Security Labs and Palo Alto Unit 42 document converging campaigns that deliver a modified Gh0st RAT to Chinese-speaking users via a multi-stage loader called RONINGLOADER and trojanized NSIS installers impersonating popular apps such as Google Chrome and Microsoft Teams. Elastic highlights signed-driver abuse (ollama.sys), WDAC policy tampering, PPL abuse and techniques to tamper with Microsoft Defender and other endpoint products; researchers Jia Yu Chan and Salim Bitam attribute process-killing and privilege escalation routines to neutralize Microsoft Defender, Kingsoft, Tencent PC Manager and Qihoo 360 Total Security. Technical details show RONINGLOADER using PoolParty VSS injection, creating temporary services to load drivers, UAC bypass, firewall rule changes, DLL side-loading via regsvr32.exe and final deployment of a Gh0st RAT variant that can edit registry keys, clear event logs, capture keystrokes/clipboard data and inject into high-privilege processes. Palo Alto Unit 42 reports two brand-impersonation waves — Campaign Trio (Feb–Mar 2025, ~2,000 domains) and Campaign Chorus (May 2025, >40 app lures) — indicating reuse of older infrastructure alongside more complex infection chains. Market signals show a moderately negative overall sentiment (-0.5) and larger negative bias for Microsoft (MSFT -0.5) while Elastic (ESTC) and Palo Alto (PANW) show positive per-ticker sentiment (0.4 each), implying potential near-term demand for advanced endpoint detection and reputational risk for vendors and platforms serving Chinese-language users.
AI-powered research, real-time alerts, and portfolio analytics for institutional investors.
Request a DemoOverall Sentiment
moderately negative
Sentiment Score
-0.50
Ticker Sentiment
