Elastic finds RONINGLOADER: trojanized NSIS installers, signed driver ollama.sys, PPL (ClipUp) abuse to tamper with Defender, custom WDAC blocking 360/Huorong, and thread-pool injection; linked to DragonBreath. #RONINGLOADER #PPL #WDAC https://bit.ly/47TE0Pa

Dragon Breath APT group employs RONINGLOADER to disable security tools and deploy Gh0st RAT. Stay vigilant! #CyberSecurity #APT #Gh0stRAT #RONINGLOADER Link: thedailytechfeed.com/dragon-breat...

Beware of RONINGLOADER: This stealthy malware uses signed drivers to disable security tools and evade detection. Stay vigilant and ensure your software sources are trustworthy. #CyberSecurity #MalwareAlert #RONINGLOADER Link: thedailytechfeed.com/new-malware-...

Elastic scopre RoningLoader, loader multistadio di DragonBreath che abusa PPL e driver firmati per distribuire gh0st RAT modificato contro utenti Windows.

#apt #APTQ27 #cina #DragonBreath #ElasticSecurityLabs #RoningLoader
www.matricedigitale.it/2025/11/17/m...

Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT The threat actor known as Dragon Breath has been observed making use of a multi-stage loader codenamed RONINGLOADER to deliver a modified variant of a remote access trojan called Gh0st RAT. The campaign, which is primarily aimed at Chinese-speaking users, employs trojanized NSIS installers masquerading as legitimate like Google Chrome and Microsoft Teams, according to Elastic Security Labs. "The

iT4iNT SERVER Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT VDS VPS Cloud #CyberSecurity #Malware #GhostRAT #Roningloader #ThreatActor

DragonBreath APT Deploys RONINGLOADER

~Elastic~
DragonBreath APT uses new multi-stage loader RONINGLOADER to disable security tools via PPL abuse and deploy a gh0st RAT variant.
-
IOCs: qaqkongtiao. com
-
#DragonBreath #RoningLoader #ThreatIntel