Dragon Breath APT Deploys RoningLoader, Using Kernel Driver and PPL Abuse to Disable Windows Defender

Elastic Security Labs has uncovered a highly sophisticated malware campaign led by the Dragon Breath APT group (APT-Q-27), revealing a new multi-stage loader that the researchers have named RoningLoader. The campaign uses trojanized installers posing as trusted applications such as Google Chrome and Microsoft Teams, and exhibits a dramatic evolution in evasion, defense bypass, and persistence techniques.

This activity primarily targets Chinese-speaking users, continuing a long-running trend of DragonBreath operations dating back to 2022–2023.

Elastic researchers highlight this campaign as a major upgrade in sophistication compared to earlier DragonBreath activity.
The report states,  “This campaign primarily targets Chinese-speaking users and demonstrates a clear evolution in adaptability compared to earlier DragonBreath-related campaigns.”

The attackers use multi-layered NSIS installers where a benign app is installed to maintain legitimacy while the malicious chain executes silently in the background.

One of the most concerning findings is the abuse of Protected Process Light (PPL)—a security mechanism used by Windows Defender. Elastic notes, “The malware employs an abuse of Protected Process Light (PPL) to disable Windows Defender.”

The malware uses ClipUp.exe with custom hooks to overwrite critical Defender binaries, effectively killing Microsoft Defender even after reboot.

In a major escalation, the attackers deploy a legitimately signed kernel driver to terminate antivirus processes at the kernel level, bypassing user-mode protections. The report explains, “Threat actors leverage a valid, signed kernel driver to kill processes.” This driver, ollama.sys, is signed by Kunming Wuqi E-commerce Co., Ltd., raising suspicions of certificate leakage or abuse.

The attackers apply unsigned Windows Defender Application Control (WDAC) policies, allowing the malware to run without signature requirements and specifically disabling certain Chinese antivirus engines. According to the report, “Custom unsigned WDAC policy applied to block 360 Total Security and Huorong executables.” This represents a strategic focus on evading widely used security tools in the Chinese market.

RoningLoader executes one of the most complex process-injection workflows seen in DragonBreath operations. This includes:

• ThreadPool-based process injection
• Reflective loading of PE files
• Phantom DLL sideloading (e.g., Wow64Log.dll)
• Process hollowing and remote thread execution
• Kernel-mode process killing via IOCTLs

Elastic reports, “Phantom DLLs and payload injection via thread pools for further antivirus process termination.”

At the end of the chain, RoningLoader deploys a lightly updated version of the gh0st RAT, which continues to serve as DragonBreath’s espionage and control tool.

Elastic states, “The final payload has minor updates and is associated with DragonBreath.”

The RAT includes:

• Full remote command execution
• Keylogging
• Clipboard monitoring and hijacking
• System profiling (hardware, OS, AV presence)
• C2 communications over XOR-encrypted TCP
• Plugin-based payload delivery
• Telegram detection

Each victim system repeatedly sends detailed beacon packets containing host, OS, CPU, AV, and telemetry data.

A notable addition is a clipboard hijacker capable of replacing cryptocurrency wallet addresses on the fly. This functionality is configured remotely: “The malware also implements a clipboard hijacker that is remotely configured through C2 command ID 243.” This suggests the group may be targeting cryptocurrency theft in addition to espionage.

Elastic Security Labs’ analysis indicates that Dragon Breath (APT-Q-27) is shifting toward more modular, evasive, and persistent malware architectures.

Related Posts:

• Dragon RaaS: Pro-Russian Hacktivist Group Walks the Razor’s Edge Between Cybercrime and Propaganda
• Sharp Dragon APT Group Expands Cyber Espionage Operations to Africa and the Caribbean
• 34 tech firms signed “Cybersecurity Tech Accord” agreement that does’nt support government hacking operations
• EFF Discovers Corejava Malware Embedded in Dragon Touch KidzPad Y88X 10 Devices
• The Escalating Threat of the EV Code Signing Certificate Black Market