RONINGLOADER: DragonBreath's New Path to PPL Abuse
Essential information
- Published
- 19/11/2025 08:54
- Modified
- 19/11/2025 09:44
- Tags
- 2025-11-19 apt chinese edr evasion driver abuse gh0st rat ppl abuse roningloader thread-pool injection wdac
- Related entities
- 14 observables, 1 intrusion sets (apt), 21 techniques (mitre), 4 malware, 3 others
Description
Elastic Security Labs uncovered a campaign by DragonBreath APT using a multi-stage loader named RONINGLOADER to deploy an updated gh0st RAT variant. The malware employs various evasion techniques targeting Chinese EDR tools, including signed driver abuse, thread-pool injection, and PPL exploitation to disable Microsoft Defender. The infection chain begins with trojanized NSIS installers masquerading as legitimate software. RONINGLOADER leverages multiple stages to terminate antivirus processes, apply custom WDAC policies, and inject the final payload into trusted system processes. The campaign demonstrates an evolution in DragonBreath's tactics, showcasing adaptability and sophisticated evasion methods.