DragonBreath

DragonBreath, also tracked as APT-Q-27, is a Chinese-nexus threat actor active since at least 2020. The actor has been linked to attacks on the online gaming and gambling industries and has targeted organizations and users in China, Taiwan, Hong Kong, Japan, Singapore, and the Philippines, including overseas Chinese individuals and Chinese-speaking users. Recent reporting associates DragonBreath with a stealthy malware campaign using the multi-stage RoningLoader (also styled RONINGLOADER), which has been documented deploying an updated Gh0st RAT variant. The infection chain uses trojanized NSIS installers masquerading as trusted software such as Google Chrome and Microsoft Teams. These installers drop a legitimate application alongside hidden malicious components to reduce suspicion. RoningLoader uses DLL side-loading, in-memory shellcode execution, code injection into regsvr32.exe, thread-pool injection, and execution in higher-privilege processes such as TrustedInstaller.exe. Reported evasion and defense-impairment behavior includes enabling SeDebugPrivilege, disabling User Account Control via registry changes, abusing Protected Process Light (PPL) to disable Microsoft Defender, using phantom DLLs, and leveraging a legitimately signed kernel driver to terminate security products and evade Chinese EDR tools. Reported targeted security products include Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, Qihoo 360 Total Security, 360 Total Security, and Huorong. The final payload is a modified Gh0st RAT that provides full remote access and has been associated with data theft, lateral movement, and long-term espionage.