A sophisticated new malware campaign, dubbed RoningLoader, is actively targeting Chinese-speaking users with a multi-stage attack leveraging DLL side-loading and code injection to evade cybersecurity defenses. This advanced loader, attributed to a threat actor known as DragonBreath, was first identified in late 2025 and employs a layered approach to stealth, aiming to disable security tools before deploying its final payload.
The RoningLoader campaign, identified by security researchers at Elastic Security Labs and AttackIQ, utilizes trojanized NSIS installers to distribute its malicious payload. These installers masquerade as legitimate software, such as Google Chrome and Microsoft Teams, to trick unsuspecting victims into executing them. The malware’s architecture is designed for resilience, incorporating multiple evasion techniques that act as fallbacks if one layer is compromised, making it a particularly challenging threat to mitigate.
Behind RoningLoader: A Deep Dive into DragonBreath’s Tactics
DragonBreath, also tracked as APT-Q-27, has a history of cyber espionage dating back to at least 2020, with a focus on the online gaming and gambling sectors across East Asia. Their latest operation showcases a significant advancement in their technical capabilities, with RoningLoader representing their most advanced campaign to date. The threat actor’s targets have historically included organizations and individuals in China, Taiwan, Hong Kong, Japan, Singapore, and the Philippines.
The initial infection vector for RoningLoader involves trojanized NSIS installers. Upon execution, these installers covertly deploy a malicious DLL alongside a legitimate application. The user perceives the legitimate software launching normally, while the malware operates in the background, initiating a series of advanced evasion steps. This dual-installation technique is designed to maintain the illusion of normalcy and minimize user suspicion.
A core component of RoningLoader’s stealth is its adept use of DLL side-loading (MITRE ATT&CK Technique T1574.002). This technique tricks a trusted Windows executable into loading a malicious DLL instead of its intended library. Because the rogue DLL is loaded by a seemingly legitimate process, it often bypasses basic security checks. Furthermore, the malware employs code injection (T1055.001) into the `regsvr32.exe` utility, a native Windows tool, to further obscure its execution. This injection process utilizes Windows APIs such as `CreateRemoteThread` and `LoadLibrary` to push malicious code into high-privilege system processes, like `TrustedInstaller.exe`, making its activity exceedingly difficult to detect.
To escalate its privileges, RoningLoader manipulates access tokens. It enables the `SeDebugPrivilege` through the `AdjustTokenPrivilege` API, granting it the ability to interact with and modify protected system processes. Additionally, the malware disables User Account Control (UAC) by altering Windows registry settings, thereby removing a fundamental layer of operating system security. This allows the malware to operate with greater autonomy and less oversight from system administrators.
The ultimate goal of RoningLoader’s sophisticated evasion is to disable a wide array of cybersecurity tools. Researchers have observed that the malware actively terminates processes associated with Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. This is achieved by using a legitimately signed kernel driver that can kill security processes at the kernel level, circumventing user-mode protections entirely. This capability is crucial for ensuring the successful deployment of the final payload without interruption.
Once security measures are neutralized, the threat actor deploys a modified version of the gh0st RAT (Remote Access Trojan). This allows DragonBreath to gain complete remote control over the compromised system. The implications of this are far-reaching, enabling the attackers to conduct extensive data theft, perform lateral movement within the victim’s network, and engage in long-term espionage operations.
Defensive Strategies Against Advanced Evasion
The layered approach of RoningLoader, combining DLL side-loading, code injection, and kernel-level process termination, presents a significant challenge for traditional security solutions. AttackIQ’s emulation of these tactics, techniques, and procedures (TTPs) provides valuable insights for defenders to proactively test and strengthen their defenses. Security teams are advised to implement robust monitoring for anomalous DLL loads originating from trusted Windows executables.
Particular attention should be paid to instances of `regsvr32.exe` being launched without direct user intervention or exhibiting unusual behavior. Establishing alerts for modifications to the UAC registry keys, unexpected service creations, and unauthorized token privilege changes are also critical steps. By running regular security control validation exercises, organizations can identify and address gaps in their security posture before they can be exploited by threats like RoningLoader.
The ongoing evolution of malware like RoningLoader underscores the necessity for continuous adaptation in cybersecurity strategies. As threat actors refine their methods to circumvent detection, defenders must remain vigilant and proactive in their efforts to safeguard sensitive information and critical systems. The future efficacy of security measures will depend on the ability to anticipate and counter these increasingly sophisticated evasion techniques.