Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
FCC Bans Chinese Telecom Equipment From Huawei, ZTE, Others Over Security Risks
July 2, 2026
Critical JetBrains Flaws Allow Auth Bypass, Code Execution
July 2, 2026
Critical Microsoft Defender, Sysmon Flaw Lets Attackers Disable Security
July 2, 2026
Home/Threats/RoningLoader Campaign Uses DLL Side-Loading and Code Injection to Evade Detection
Threats

RoningLoader Campaign Uses DLL Side-Loading and Code Injection to Evade Detection

Key Takeaways A new, sophisticated malware loader named RoningLoader is targeting Chinese-speaking users, disguised as legitimate software like Google Chrome and Microsoft Teams. The threat actor,...

Emy Elsamnoudy
Emy Elsamnoudy
April 9, 2026 4 Min Read
30 0

Key Takeaways

  • A new, sophisticated malware loader named RoningLoader is targeting Chinese-speaking users, disguised as legitimate software like Google Chrome and Microsoft Teams.
  • The threat actor, DragonBreath (APT-Q-27), employs a multi-stage attack involving DLL side-loading, code injection, and a signed kernel driver to disable security products.
  • RoningLoader’s primary goal is to deploy a modified version of gh0st RAT, providing attackers with full remote access for espionage and data theft.
  • This campaign significantly impacts endpoint security, actively disabling major antivirus solutions including Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security.

DragonBreath Unleashes RoningLoader: A New Era of Evasion

A highly evasive multi-stage malware loader, dubbed RoningLoader, has been uncovered in a new campaign attributed to the advanced persistent threat (APT) group DragonBreath. This operation specifically targets Chinese-speaking users, cleverly masquerading as popular applications such as Google Chrome and Microsoft Teams to infiltrate systems.

Table Of Content

  • Key Takeaways
  • DragonBreath Unleashes RoningLoader: A New Era of Evasion
  • Disabling Defenses and Deploying RAT
  • Inside the Evasion Engine: How RoningLoader Hides Its Tracks
  • What You Should Do

The malware’s formidable capabilities stem from its multi-layered approach to stealth, integrating DLL side-loading, code injection, and the use of signed kernel drivers to silently incapacitate security software.

RoningLoader first appeared in November 2025, when Elastic Security Labs documented its deployment against systems equipped with Chinese endpoint detection tools. The malware’s propagation relies on trojanized NSIS installers, a legitimate installer framework frequently abused by threat actors. Upon execution, these malicious installers covertly drop a malicious DLL and an encrypted file disguised as a PNG image.

This encrypted file contains shellcode that initiates the subsequent attack stages entirely in memory, thereby minimizing forensic traces on disk.

AttackIQ researchers comprehensively analyzed RoningLoader’s post-compromise behaviors, meticulously mapping them against the MITRE ATT&CK framework. The research team subsequently released an emulation-based attack graph that mirrors the tactics, techniques, and procedures (TTPs) employed by DragonBreath in this campaign. Their findings highlight a technically sophisticated and deliberately redundant threat, engineered to persist even if one layer of its evasion mechanisms fails.

Disabling Defenses and Deploying RAT

The campaign’s impact extends beyond mere malware delivery; RoningLoader actively disables a range of prominent security products, including Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security. It achieves this by leveraging a legitimately signed kernel driver to terminate these processes at the kernel level, effectively bypassing standard user-mode protections.

In its final stage, the attacker deploys a modified version of gh0st RAT, granting complete remote access to the compromised system. This access facilitates data exfiltration, lateral movement within the network, and long-term espionage activities.

DragonBreath, also known as APT-Q-27, has been active since at least 2020, with a history of targeting the online gaming and gambling industries. Its operational scope includes China, Taiwan, Hong Kong, Japan, Singapore, and the Philippines. The group has consistently refined its methodologies, and RoningLoader represents its most technically advanced campaign to date.

Inside the Evasion Engine: How RoningLoader Hides Its Tracks

A hallmark of RoningLoader is its strategic chaining of multiple evasion techniques, where each layer provides redundancy for the next. This intentional design ensures that if one method fails, the malware has several alternative mechanisms to maintain its stealth and functionality.

The attack sequence begins with the execution of the trojanized NSIS installer. This installer concurrently drops a legitimate application and a hidden malicious binary. The genuine software operates normally in the foreground, keeping the user unsuspicious, while the malware executes quietly in the background. This “twin-installation” technique makes the initial infection exceptionally difficult to detect.

RoningLoader then employs DLL side-loading (T1574.002), manipulating a trusted Windows executable into loading a malicious DLL instead of its legitimate counterpart. Since the rogue DLL operates under a signed and trusted process, most security tools mistakenly perceive it as normal activity. Subsequently, the malware injects code into regsvr32.exe, a native Windows utility, using CreateRemoteThread and LoadLibrary (T1055.001). This pushes execution into high-privilege processes like TrustedInstaller.exe, further obscuring its malicious activities.

To gain elevated privileges, the malware enables SeDebugPrivilege via the AdjustTokenPrivilege API, allowing it to interact with protected processes that would otherwise be inaccessible. It also disables User Account Control (UAC) by modifying the Windows registry, thereby dismantling a fundamental system defense. RoningLoader then utilizes CreateToolhelp32Snapshot in conjunction with Process32FirstW and Process32NextW to enumerate all running processes, identify active antivirus tools, and terminate them before the final gh0st RAT payload is unleashed.

What You Should Do

  • Monitor for unusual DLL loads originating from trusted Windows executables.
  • Flag instances where regsvr32.exe launches without direct user initiation.
  • Implement alerts for modifications to UAC registry settings, unexpected service creations, and token changes.
  • Conduct regular security control validation and adversarial emulation against RoningLoader’s documented TTPs to identify and remediate defensive gaps proactively.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

ValleyRAT Malware Hides in Fake Telegram Chinese Language Packs

Next Post

Critical Chrome Vulnerabilities Let Attackers Execute Arbitrary Code

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
WinRAR 7.23 Patches Critical Heap Overflow Vulnerability CVE-2024-XXXX
July 2, 2026
Medtronic Confirms Data Breach, Corporate IT Systems Compromised
July 2, 2026
Critical ClamAV Vulnerabilities Let Attackers Trigger DoS
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us