The Reveal Platform
Intel Name: Roningloader: dragonbreath’s new path to ppl abuse
Date of Scan: November 17, 2025
Impact: High
Summary: RoningLoader is a new, advanced loader used in a recent DragonBreath (APT-Q-27) campaign that distributes a modified gh0st RAT through trojanized NSIS installers posing as legitimate apps like Chrome and Microsoft Teams. The infection chain uses multiple redundant evasion layers, including a signed kernel driver, custom WDAC policies, and Protected Process Light (PPL) abuse to disable Microsoft Defender. It also employs phantom DLLs and thread-pool–based injection to terminate security products—especially those popular in China. This campaign shows a clear evolution from earlier DragonBreath activity and highlights the group’s growing sophistication in defense evasion and payload delivery.
