RoningLoader Campaign Uses DLL Side-Loading and Code Injection to Evade Detection
Key Takeaways A new, sophisticated malware loader named RoningLoader is targeting Chinese-speaking users, disguised as legitimate software like Google Chrome and Microsoft Teams. The threat actor,...
Key Takeaways
- A new, sophisticated malware loader named RoningLoader is targeting Chinese-speaking users, disguised as legitimate software like Google Chrome and Microsoft Teams.
- The threat actor, DragonBreath (APT-Q-27), employs a multi-stage attack involving DLL side-loading, code injection, and a signed kernel driver to disable security products.
- RoningLoader’s primary goal is to deploy a modified version of gh0st RAT, providing attackers with full remote access for espionage and data theft.
- This campaign significantly impacts endpoint security, actively disabling major antivirus solutions including Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security.
DragonBreath Unleashes RoningLoader: A New Era of Evasion
A highly evasive multi-stage malware loader, dubbed RoningLoader, has been uncovered in a new campaign attributed to the advanced persistent threat (APT) group DragonBreath. This operation specifically targets Chinese-speaking users, cleverly masquerading as popular applications such as Google Chrome and Microsoft Teams to infiltrate systems.
Table Of Content
The malware’s formidable capabilities stem from its multi-layered approach to stealth, integrating DLL side-loading, code injection, and the use of signed kernel drivers to silently incapacitate security software.
RoningLoader first appeared in November 2025, when Elastic Security Labs documented its deployment against systems equipped with Chinese endpoint detection tools. The malware’s propagation relies on trojanized NSIS installers, a legitimate installer framework frequently abused by threat actors. Upon execution, these malicious installers covertly drop a malicious DLL and an encrypted file disguised as a PNG image.
This encrypted file contains shellcode that initiates the subsequent attack stages entirely in memory, thereby minimizing forensic traces on disk.
AttackIQ researchers comprehensively analyzed RoningLoader’s post-compromise behaviors, meticulously mapping them against the MITRE ATT&CK framework. The research team subsequently released an emulation-based attack graph that mirrors the tactics, techniques, and procedures (TTPs) employed by DragonBreath in this campaign. Their findings highlight a technically sophisticated and deliberately redundant threat, engineered to persist even if one layer of its evasion mechanisms fails.
Disabling Defenses and Deploying RAT
The campaign’s impact extends beyond mere malware delivery; RoningLoader actively disables a range of prominent security products, including Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. It achieves this by leveraging a legitimately signed kernel driver to terminate these processes at the kernel level, effectively bypassing standard user-mode protections.
In its final stage, the attacker deploys a modified version of gh0st RAT, granting complete remote access to the compromised system. This access facilitates data exfiltration, lateral movement within the network, and long-term espionage activities.
DragonBreath, also known as APT-Q-27, has been active since at least 2020, with a history of targeting the online gaming and gambling industries. Its operational scope includes China, Taiwan, Hong Kong, Japan, Singapore, and the Philippines. The group has consistently refined its methodologies, and RoningLoader represents its most technically advanced campaign to date.
Inside the Evasion Engine: How RoningLoader Hides Its Tracks
A hallmark of RoningLoader is its strategic chaining of multiple evasion techniques, where each layer provides redundancy for the next. This intentional design ensures that if one method fails, the malware has several alternative mechanisms to maintain its stealth and functionality.
The attack sequence begins with the execution of the trojanized NSIS installer. This installer concurrently drops a legitimate application and a hidden malicious binary. The genuine software operates normally in the foreground, keeping the user unsuspicious, while the malware executes quietly in the background. This “twin-installation” technique makes the initial infection exceptionally difficult to detect.
RoningLoader then employs DLL side-loading (T1574.002), manipulating a trusted Windows executable into loading a malicious DLL instead of its legitimate counterpart. Since the rogue DLL operates under a signed and trusted process, most security tools mistakenly perceive it as normal activity. Subsequently, the malware injects code into regsvr32.exe, a native Windows utility, using CreateRemoteThread and LoadLibrary (T1055.001). This pushes execution into high-privilege processes like TrustedInstaller.exe, further obscuring its malicious activities.
To gain elevated privileges, the malware enables SeDebugPrivilege via the AdjustTokenPrivilege API, allowing it to interact with protected processes that would otherwise be inaccessible. It also disables User Account Control (UAC) by modifying the Windows registry, thereby dismantling a fundamental system defense. RoningLoader then utilizes CreateToolhelp32Snapshot in conjunction with Process32FirstW and Process32NextW to enumerate all running processes, identify active antivirus tools, and terminate them before the final gh0st RAT payload is unleashed.
What You Should Do
- Monitor for unusual DLL loads originating from trusted Windows executables.
- Flag instances where
regsvr32.exelaunches without direct user initiation. - Implement alerts for modifications to UAC registry settings, unexpected service creations, and token changes.
- Conduct regular security control validation and adversarial emulation against RoningLoader’s documented TTPs to identify and remediate defensive gaps proactively.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.