RoningLoader
RONINGLOADER is a multi-stage Windows malware loader used by the DragonBreath threat actor, also tracked as APT-Q-27 and Golden Eye Dog. Elastic Security Labs documented it in November 2025. The malware has been used in campaigns targeting the gambling and online gaming sector, overseas Chinese individuals, and Chinese-speaking users across China, Taiwan, Hong Kong, Japan, Singapore, and the Philippines.
The infection chain begins with trojanized NSIS installers masquerading as legitimate software such as Google Chrome and Microsoft Teams. These installers drop a legitimate application alongside hidden malicious components, including a malicious DLL and an encrypted file disguised as a PNG image. Execution relies on DLL side-loading, after which shellcode is launched in memory and additional stages are injected into processes including regsvr32.exe, including via CreateRemoteThread and LoadLibrary.
RONINGLOADER is notable for layered defense evasion and security-tool disabling. Reported behaviors include abuse of Protected Process Light (PPL) to disable Microsoft Defender, use of thread-pool injection, privilege escalation through SeDebugPrivilege, disabling User Account Control through registry modification, process enumeration with CreateToolhelp32Snapshot / Process32FirstW / Process32NextW, and movement into high-privilege processes such as TrustedInstaller.exe. The campaign also weaponizes a legitimately signed kernel driver to terminate security products at the kernel level and has been reported as targeting or evading Chinese EDR and antivirus products including Kingsoft Internet Security, Tencent PC Manager, Qihoo 360 Total Security, and Huorong.
The final payload is an updated or modified Gh0st RAT variant associated with DragonBreath, providing remote access. Detection content referenced for RONINGLOADER includes a YARA rule that identifies a specific x86 binary signature or the combined presence of strings related to PPL creation, ClipUp.exe usage, and silent regsvr32.exe execution. Recommended monitoring opportunities mentioned in the source material include unusual DLL loads from trusted Windows executables, regsvr32.exe launches without direct user action, UAC-related registry changes, unexpected service creation, and token privilege changes.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A threat actor known as DragonBreath has launched a stealthy campaign using a multi-stage malware loader called RoningLoader.
A threat actor known as DragonBreath has launched a stealthy campaign using a multi-stage malware loader called RoningLoader.
"Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT"
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Privilege Escalation
2 techniques“Phantom DLLs and payload injection via thread pools for further antivirus process termination”
Stealth
2 techniques“Phantom DLLs and payload injection via thread pools for further antivirus process termination”
Other
1 techniqueRecent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A multi-stage malware loader delivered via trojanized NSIS installers. It uses DLL side-loading, in-memory shellcode execution, code injection, privilege escalation, UAC disabling, and a signed kernel driver to disable security tools before deploying a final payload.
Multi-stage loader used to disable security tools and deliver a modified Gh0st RAT payload.
A loader associated with the DragonBreath actor, discussed in the context of abusing PPL (Protected Process Light) mechanisms.
RONINGLOADER is a multi-stage loader used to deliver additional malware payloads, associated with financially motivated attacks against the gambling sector.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.