Dragon Breath Uses RONINGLOADER

Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT

Elastic observed the Dragon Breath group using RONINGLOADER, a multi-stage loader inside trojanised NSIS installers, to disable endpoint security (including Microsoft Defender via PPL/EDR-Freeze tricks) and deploy a modified Gh0st RAT. The loader kills AV processes, abuses drivers, tampers with firewalls, and side-loads DLLs to hide execution (e.g., regsvr32 → TrustedInstaller). Unit 42 also tracked large-scale brand-impersonation campaigns delivering Gh0st RAT to Chinese-speaking users.

When security tools become speed bumps
Meet RONINGLOADER — Dragon Breath’s multi-stage loader that treats endpoint protection like a polite suggestion. Bundled inside slick, trojanised installers (Chrome, Teams and friends), it slips in quietly, then goes to work disabling AV, fiddling with firewalls and side-loading payloads until a modified Gh0st RAT takes the wheel.

How it gets in
A legit-looking NSIS installer spins up, drops a benign app to keep up appearances, then launches a shadow chain: decrypted shellcode, a clean copy of ntdll.dll to unhook userland, and escalation attempts.

How it dodges you
The loader hunts for popular AV processes (Defender, Qihoo, Kingsoft, Tencent), kills them using a signed driver trick, abuses PPL/EDR-Freeze techniques, and even writes hostile WDAC policies to block rival security tools. Finally, it injects a malicious DLL into regsvr32.exe and pivots into high-privilege processes like TrustedInstaller.

What lands
A tuned Gh0st RAT with keylogging, clipboard theft, command execution, event-log clearing and download/execute — the usual burglar’s toolkit, neatly packaged. Related campaigns scale this with wide brand impersonation to reach Chinese-speaking users.

Defensive notes (UK-friendly)
Block untrusted installers, enforce driver-load policies, protect Defender with tamper protection, and monitor for regsvr32 abuse, WDAC policy changes and sudden AV process deaths. If your helpdesk sees “installer didn’t work but something else launched”, assume it did — just not what you expected.