Security researchers have uncovered a sophisticated multi-stage campaign that weaponizes legitimately signed kernel drivers to disable endpoint protections and deliver a modified Gh0st RAT to Chinese-speaking users. The loader, tracked as RONINGLOADER and attributed to the Dragon Breath APT (also known as APT-Q-27 or Golden Eye), blends trojanized installers, kernel-mode drivers, and multiple fallback techniques to neutralize defenses and establish persistent remote access.

What was discovered

Elastic Security Labs, alongside corroborating analysis from several industry teams, documented an infection chain that begins with trojanized NSIS installers masquerading as familiar applications such as Google Chrome and Microsoft Teams. Those installers drop two nested NSIS packages: one installs legitimate software to avoid suspicion, while the other quietly launches the attack chain.

Once executed, RONINGLOADER drops a DLL and an encrypted payload named tp.png, decrypts and uses that payload to load shellcode in memory, and then proceeds through multiple stages of privilege escalation, process termination, driver loading, and payload injection. The final payload is a modified build of Gh0st RAT that implements keystroke logging, clipboard capture, command execution, registry modifications, event log clearing, and other remote-administration capabilities.

Researchers Jia Yu Chan and Salim Bitam of Elastic summarized the method as a multi-stage delivery mechanism using many redundancies aimed at neutralizing endpoint security products popular in the Chinese market.

How RONINGLOADER disables security tools

RONINGLOADER employs several complementary and redundant techniques to disable endpoint defenses:

  • It scans for a hardcoded list of security-related processes, including Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, Qihoo 360 Total Security, and Huorong Security, then attempts to terminate or block them.
  • It uses a legitimately signed kernel driver named ollama.sys (signed to Kunming Wuqi E-commerce Co., Ltd., with a certificate reported valid through February 2026) to perform kernel-level process termination via IOCTLs. Elastic researchers found dozens of other signed binaries using the same certificate, raising questions about certificate compromise or misuse.
  • For Qihoo 360 in particular, the loader performs an elaborate sequence: it blocks network communications by adding firewall rules, grants itself SeDebugPrivilege, starts and enumerates the Volume Shadow Copy service (vssvc.exe), injects shellcode into that service using a PoolParty-style technique, loads the signed driver as a temporary service (xererre1 or ollama), uses the driver to terminate processes, and then restores the firewall settings.
  • It attempts to remove userland hooks by loading a fresh copy of ntdll.dll, abuses Protected Process Light (PPL) and Windows Error Reporting mechanisms (WerFaultSecure.exe) to freeze or corrupt Microsoft Defender components, and writes custom Windows Defender Application Control (WDAC) policies to explicitly block certain Chinese security vendors.
  • The loader can inject a rogue DLL into regsvr32.exe and then into higher-privilege processes such as TrustedInstaller.exe or elevation_service.exe to launch the final payload stealthily.

    • These layered tactics give the adversary multiple fallback paths: when one method is blocked, another can succeed.

    Campaign scale and related brand-impersonation waves

    Palo Alto Networks Unit 42 identified two related brand-impersonation campaigns that delivered Gh0st RAT to Chinese-speaking audiences earlier in 2025. The first, dubbed Campaign Trio (February–March 2025), impersonated a small number of utilities across roughly 2,000 domains. A later, more complex wave called Campaign Chorus (May 2025) impersonated more than 40 apps including popular regional software and used intermediary redirect domains and public cloud storage buckets to host trojanized installers.

    Unit 42 researchers described a progression from simple droppers to complex, multi-stage infection chains that misuse legitimate, signed software and intermediary infrastructure to bypass filters and increase operational resilience.

    Dragon Breath itself has a longer history: security firms previously linked the group to attacks on online gaming and gambling sectors and documented DLL side-loading and other evasive techniques in campaigns dating back to 2020 and 2022–2023.

    Technical indicators and notable artifacts

  • Trojans use NSIS installers and nested NSIS payloads; example filenames observed include letsvpnlatest.exe (benign install) and Snieoatwtregoable.exe (malicious launcher).
  • Disk artifacts: Snieoatwtregoable.dll and tp.png (encrypted payload) in a created directory such as C:\Program Files\Snieoatwtregoable\.
  • Signed driver: ollama.sys, loaded as a temporary service 'ollama' or 'xererre1'.
  • Techniques observed: kernel-mode process termination via signed driver, WDAC policy manipulation, PPL and WerFaultSecure abuse, PoolParty-style VSS injection, regsvr32 side-loading, thread-pool and file-write-trigger injection.
  • Final implant: modified Gh0st RAT with encrypted TCP C2, keystroke/clipboard capture, foreground window tracking, clipboard and MetaMask monitoring, and remote command execution.

    • Why this matters

    The campaign highlights an escalating trend: sophisticated actors are combining social engineering (brand impersonation) with abuse of legitimate Windows features and signed software to neutralize defenses. Using signed drivers to kill security processes from kernel mode undermines many user-mode protections and complicates EDR detection.

    Elastic and other vendors have developed behavioral detection rules for PPL abuse and similar tactics, and discovery of this campaign came in part from telemetry flagged by such rules. Still, the multiplicity of fallback techniques and the use of legitimate certificates make detection and mitigation harder for defenders, particularly in environments that rely on the targeted Chinese security products.

    What defenders should do

    Security teams and administrators should consider layered mitigations, including:

  • Apply behavioral EDR rules that detect PPL abuse, suspicious driver loads, and unexpected regsvr32 or NSIS activity.
  • Monitor for unusual signed driver loads and validate driver signing certificates through vendor channels; treat unexpected new drivers with high scrutiny.
  • Restrict who can install drivers and create services, and enforce least privilege so that installers cannot obtain administrative rights without review.
  • Harden WDAC/Code Integrity policies intentionally and monitor for unauthorized policy changes.
  • Block or closely inspect trojanized installer sources and intermediary redirect domains, and adopt safe download practices for installers (use vendor sites and verify checksums).

Vendors and researchers continue to publish indicators of compromise and detection guidance; organizations operating in Chinese-language markets should be especially vigilant given the campaign's targeting choices.

Attribution and open questions

Industry teams tie this activity to Dragon Breath and related clusters such as Miuuti Group, but attribution always carries uncertainty. Elastic, Unit 42, and other researchers emphasize the technical overlap with previously observed Dragon Breath techniques and the group's historical focus on gaming and gambling sectors. The discovery that a single signing certificate appears across dozens of binaries raises further questions about whether certificate theft, attacker purchase, or a compromised signing process is involved — a point that may attract further investigation by vendors and platform owners.

For now, the technical community is treating RONINGLOADER as a notable escalation: legitimate signing and deep Windows feature abuse combined with extensive redundancy make it a resilient and stealthy loader capable of delivering a potent remote access trojan to targeted victims.

Researchers cited: Elastic Security Labs researchers Jia Yu Chan and Salim Bitam; Palo Alto Networks Unit 42 researchers including Keerthiraj Nagaraj, Vishwa Thothathri, Nabeel Mohamed, and Reethika Ramesh. Reporting draws on coordinated telemetry and published analysis from multiple security vendors and incident responders.

RONINGLOADERGh0st RATDragon BreathSigned DriversWindows Security