{
	"id": "80ab9614-1e0a-4840-9168-cf878a2236ed",
	"created_at": "2026-04-06T00:18:03.772005Z",
	"updated_at": "2026-04-10T03:37:23.957756Z",
	"deleted_at": null,
	"sha1_hash": "2b9bf64ef56d84b26b9b0ba137847ea1887823ff",
	"title": "RONINGLOADER: DragonBreath’s New Path to PPL Abuse",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3683488,
	"plain_text": "RONINGLOADER: DragonBreath’s New Path to PPL Abuse\r\nBy Jia Yu Chan, Salim Bitam\r\nPublished: 2025-11-15 · Archived: 2026-04-05 13:54:20 UTC\r\nIntroduction\r\nElastic Security Labs identified a recent campaign distributing a modified variant of the gh0st RAT, attributed to the Dragon\r\nBreath APT (APT-Q-27), through trojanized NSIS installers masquerading as legitimate software such as Google Chrome\r\nand Microsoft Teams. The infection chain employs a multi-stage delivery mechanism that leverages various evasion\r\ntechniques, with many redundancies aimed at neutralising endpoint security products popular in the Chinese market. These\r\ninclude bringing a legitimately signed driver, deploying custom WDAC policies, and tampering with the Microsoft Defender\r\nbinary through PPL abuse.\r\nThis campaign primarily targets Chinese-speaking users and demonstrates a clear evolution in adaptability compared to\r\nearlier DragonBreath-related campaigns documented in 2022-2023. Through this report, we hope to raise awareness of new\r\ntechniques this malware is starting to implement and to shine a light on a unique loader we are naming RoningLoader.\r\nKey takeaways\r\nThe malware employs an abuse of Protected Process Light (PPL) to disable Windows Defender\r\nThreat actors leverage a valid, signed kernel driver to kill processes\r\nCustom unsigned WDAC policy applied to block 360 Total Security and Huorong executables\r\nPhantom DLLs and payload injection via thread pools for further antivirus process termination\r\nFinal payload has minor updates and is associated with DragonBreath\r\nDiscovery\r\nIn August 2025, research was published detailing a method to abuse Protected Process Light (PPL) to disable endpoint\r\nsecurity tooling. Following this disclosure, we produced a behavioral rule, Potential Evasion via ClipUp Execution, and,\r\nafter some threat hunting of telemetry data, we identified a live campaign employing the technique.\r\nRONINGLOADER code analysis\r\nThe initial infection vector is a Windows Installer package (MSI). Upon execution, the MSI functions as a dropper,\r\nextracting two embedded Nullsoft Scriptable Install System (NSIS) installers. NSIS is a legitimate, open-source tool for\r\ncreating Windows installers, but it is frequently abused by threat actors to package and deliver malware, as seen in\r\nGULOADER. In this campaign, we have observed the malicious installers being distributed under various themes,\r\nmasquerading as legitimate software such as Google Chrome, Microsoft Teams, or other trusted applications to lure users\r\ninto executing them.\r\nOne of the nested NSIS installers is benign and installs the legitimate software, while the second is malicious and\r\nresponsible for deploying the attack chain.\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 1 of 26\n\nRONINGLOADER Execution flow\r\nThe attack chain leverages a signed driver named ollama.sys for antivirus process termination. The driver has a signer\r\nname of Kunming Wuqi E-commerce Co., Ltd. , with a certificate valid from February 3, 2025, to February 3, 2026.\r\nPivoting on VirusTotal revealed 71 additional signed binaries. Among these, we identified AgentTesla droppers\r\nmasquerading as 慕讯公益加速器 (MuXunAccelerator) , a gaming-focused VPN software popular among Chinese users,\r\nwith samples dating back to April 2025. Notably, the signing techniques vary across samples. Some earlier samples, like\r\ninject.sys , contain HookSignTool artifacts including the string JemmyLoveJenny , while the October 2025 ollama.sys\r\nsample shows no such artifacts and uses standard signing procedures, yet both share the same certificate validity period.\r\nComparing ollama.sys ’s PDB string artifact D:\\VS_Project\\加解密\\MyDriver1\\x64\\Release\\MyDriver1.pdb with other\r\nsamples, we discovered different artifacts from other submitted samples -\r\nD:\\cpp\\origin\\ConsoleApplication2\\x64\\Release\\ConsoleApplication2.pdb\r\nD:\\a_work\\1\\s\\artifacts\\obj\\coreclr\\windows.x86.Release\\Corehost.Static\\singlefilehost.pdb\r\nC:\\Users\\0\\Desktop\\EAMap\\x64\\Release\\ttt.pdb\r\nh:\\projects\\netfilter3\\bin\\Release\\Win32\\nfregdrv.pdb\r\nDue to the diversity of binaries and the large volume of submissions, we suspect the certificate may have been leaked, but\r\nthis is speculation at this time.\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 2 of 26\n\nDigital signature of the driver\r\nStage 1\r\nOur analysis began with the initial binary, identified by its SHA256 hash:\r\nda2c58308e860e57df4c46465fd1cfc68d41e8699b4871e9a9be3c434283d50b . Extracting it reveals two embedded executables:\r\na benign installer, letsvpnlatest.exe , and the malicious installer Snieoatwtregoable.exe .\r\nThe malicious installer, Snieoatwtregoable.exe , creates a new directory at C:\\Program Files\\Snieoatwtregoable\\ .\r\nWithin this folder, it drops two files: a DLL named Snieoatwtregoable.dll and an encrypted file, tp.png .\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 3 of 26\n\nFiles dropped on disk\r\nThe core of the malicious activity resides within Snieoatwtregoable.dll , which exports a single function:\r\nDllRegisterServer . When invoked, this function reads the contents of the tp.png file from disk, then decrypts this data\r\nusing a simple algorithm involving both a Right Rotate (ROR) and an XOR operation.\r\nXOR decryption routine\r\nThe decrypted content is shellcode that reflectively loads and executes a PE file in memory. The malware first allocates a\r\nnew memory region within its own process using the NtAllocateVirtualMemory API, then creates a new thread to execute\r\nthe shellcode by calling NtCreateThreadEx .\r\nThe malware attempts to remove any userland hooks by loading a fresh new ntdll.dll , then using GetProcAddress with\r\nthe API name to resolve the addresses.\r\nLoads a fresh NTDLL\r\nThe malware attempts to connect to localhost on port 5555 without serving any real purpose, as the result will not matter;\r\nspeculatively, this is likely dead code or pre-production leftover code\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 4 of 26\n\nDead code\r\nStage 2 - tp.png\r\nRONINGLOADER first checks whether it has administrative privileges using the GetTokenInformation API. If not, it\r\nattempts to elevate its privileges by using the runas command to launch a new, elevated instance of itself before\r\nterminating the original process.\r\nElevates privileges with RunAs command\r\nInterestingly, the malware tries to communicate with a hardcoded URL http://www.baidu.com/ with the user-agent\r\n“Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko” , but this appears to be dead code, likely\r\ndue to either a removed feature or placeholder code for future versions. It is designed to extract and log the HTTP response\r\nheader date from the URL.\r\nThe malware then scans a list of running processes for specific antivirus solutions. It checks against a hardcoded list of\r\nprocess names and sets a corresponding boolean flag to \"True\" if any are found.\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 5 of 26\n\nScans for specific processes\r\nThe following is a table of processes and the associated security products hardcoded in the binary:\r\nProcess name Security Product\r\nMsMpEng.exe Microsoft Defender Antivirus\r\nkxemain.exe Kingsoft Internet Security\r\nkxetray.exe Kingsoft Internet Security\r\nkxecenter.exe Kingsoft Internet Security\r\nQQPCTray.exe Tencent PC Manager\r\nQQPCRTP.exe Tencent PC Manager\r\nQMToolWidget.exe Tencent PC Manager\r\nHipsTray.exe Qihoo 360 Total Security\r\nHipsDaemon.exe Qihoo 360 Total Security\r\nHipsMain.exe Qihoo 360 Total Security\r\n360tray.exe Qihoo 360 Total Security\r\nAV process termination via injected remote process\r\nNext, the malware kills those processes. Interestingly, the Qihoo 360 Total Security product takes a different approach than\r\nthe others.\r\nFirst, it blocks all network communication by changing the firewall. It then calls a function to inject shellcode into the\r\nprocess ( vssvc.exe ) associated with the Volume Shadow Copy (VSS) service.\r\nIt first grants itself the high integrity SeDebugPrivilege token.\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 6 of 26\n\nGrants SeDebugPrivilege to itself\r\nIt then starts the VSS (Volume Shadow Copy Service) if it is not already running and fetches the PID of its associated\r\nprocess (vssvc.exe).\r\nStarts VSS service\r\nNext, the malware uses NtCreateSection to create two separate memory sections. It then maps views of these sections into\r\nthe memory space of the vssvc.exe process. The first section contains a full Portable Executable (PE) file, which is a driver\r\nwith the device name \\\\.\\Ollama . The second section contains shellcode intended for execution.\r\nMapping section views to the remote process\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 7 of 26\n\nRONINGLOADER takes a different approach to this process injection compared to other injection methods used elsewhere\r\nin the malware. This technique leverages the thread pool to remotely execute code via a file write trigger in the remote\r\nprocess. This technique was documented by SafeBreach in 2023 with different variants.\r\nInjection through ThreadPool tasks\r\nOnce executed, the shellcode begins by dynamically resolving the addresses of the Windows APIs it needs to function. This\r\nis the only part of RONINGLOADER that employs any obfuscation, using the Fowler–Noll–Vo hash (FNV) algorithm to\r\nlook up functions by hash instead of by name.\r\nFNV algorithm instructions\r\nIt first fetches the addresses of CreateFileW , WriteFile , and CloseHandle to write the driver to disk to a hardcoded\r\npath, C:\\windows\\system32\\drivers\\1912763.temp .\r\nThen it performs the following operations:\r\nCreate a service named xererre1 to load the driver dropped to disk\r\nFor each of the following processes ( 360Safe.exe , 360Tray.exe , and ZhuDongFangYu.exe ), which are all\r\nassociated with Qihoo 360 software, it calls 2 functions: one to find the PID of the process by name, followed by a\r\nfunction to kill the process by PID\r\nIt then stops and deletes the service xererre1\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 8 of 26\n\nFunction calls to kill Qihoo 360 software processes\r\nTo kill a process, the malware uses the driver. An analysis of the driver reveals that it registers only 1 functionality: it\r\nhandles one IOCTL ID ( 0x222000 ) that takes a PID as a parameter and kills the process by first opening it with\r\nZwOpenProcess , then terminating it with ZwTerminateProcess kernel APIs.\r\nKernel driver kills a process by PID\r\nAV process termination\r\nReturning to the main execution flow, the malware enters a loop to confirm the termination of 360tray.exe , as handled by\r\nthe shellcode injected into the VSS service. It proceeds only after verifying that the process is no longer running.\r\nImmediately after this confirmation, the system restores its firewall settings. This action is likely a defensive measure\r\nintended to sever the software's communication channel, preventing it from uploading final activity logs or security alerts to\r\nits backend services.\r\nIt then terminates the other security processes directly from its main process. Notably, it makes no attempt to hide these\r\nactions, abandoning the earlier API hashing technique and calling the necessary functions directly.\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 9 of 26\n\nFunction calls to kill the rest of the security solutions\r\nRONINGLOADER follows a consistent, repeatable procedure to terminate its target processes:\r\nFirst, it writes the malicious driver to disk, this time to the temporary path\r\nC:\\Users\\analysis\\AppData\\Local\\Temp\\ollama.sys.\r\nA temporary service ( ollama ) is created to load ollama.sys into the kernel\r\nThe malware then fetches the target process's PID by name and sends a request containing the PID to its driver to\r\nperform the termination.\r\nImmediately after the kill command is sent, the service is deleted.\r\nWrite driver, create service, start service\r\nKill by PID and delete the service afterwards\r\nRegarding Microsoft Defender, the malware attempts to kill the MsMpEng.exe process using the same approach described\r\nabove. We noticed a code bug from the author: for Microsoft Defender, the code does not check whether Defender is already\r\nrunning, but proceeds directly to searching for the MsMpEng.exe process. This means that if the process is not running, the\r\nmalware will send 0 as the PID to the driver.\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 10 of 26\n\nMicrosoft Defender process killing\r\nThe malware has more redundant code to kill security solution processes. It also injects another shellcode into svchost.exe,\r\nsimilar to what was injected into vssvc.exe , but the list of processes is different, as seen in the screenshot below.\r\nRedundant code to kill security processes\r\nThe injection technique also uses threadpools, but the injected code is triggered by an event.\r\nThreadPool injection with an event as a trigger\r\nAfter the process termination, the malware creates 4 folders\r\nC:\\ProgramData\\lnk\r\nC:\\ProgramData\\\u003ccurrent_date\u003e\r\nC:\\Users\\Public\\Downloads\\\u003ccurrent_date\u003e\r\nC:\\ProgramData\\Roning\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 11 of 26\n\nFolder creation to drop files\r\nEmbedded archives\r\nThe malware then writes three .txt files to C:\\Users\\Public\\Downloads\\\u003ccurrent_date\u003e . Despite their extension, these\r\nare not text files but rather containers built with a specific format, likely adapted from another code base.\r\nThis custom file structure is organized as follows:\r\nMagic Bytes: The file begins with the signature 4B 44 01 00 for identification.\r\nFile Count: This is immediately followed by a value indicating the number of files encapsulated within the container.\r\nFile Metadata: A header section then describes the information for each stored file.\r\nCompressed Data: Finally, each embedded file is stored in a ZLIB-compressed data block.\r\nHere’s an example file format for the hjk.txt archive , which contains 2 files: 1.bat and fhq.bat .\r\nThis archive format applies to 2 other embedded files in the current stage:\r\nagg.txt , which contains 3 files - Enpug.bin , goldendays.dll , and trustinstaller.bin\r\nkill.txt , which contains 1 file - 1.dll\r\nArchive format for hjk.txt\r\nBatch scripts to bypass UAC and AV networking\r\n1.bat is a simple batch script that disables User Account Control (UAC) by setting the EnableLUA registry value to 0.\r\n1.bat content\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 12 of 26\n\nfhq.bat is another batch script that targets the program defined in C:\\ProgramData\\lnk\\123.txt and the Qihoo 360\r\nsecurity software (360Safe.exe) by creating firewall rules that block inbound and outbound connections to them. It also\r\ndisables firewall notifications across all profiles.\r\nfhq.bat content\r\nAV process termination via Phantom DLL\r\nThe deployed DLL, 1.dll , is copied to C:\\Windows\\System32\\Wow64\\Wow64Log.dll to be side-loaded by any WOW64\r\nprocesses, as Wow64Log.dll is a phantom DLL that is not present on Windows machines by default. Its task is redundant,\r\nessentially attempting to kill a list of processes using standard Windows APIs ( TerminateProcess ).\r\nWow64Log.dll Dllmain code\r\nClipUp MS Defender killer\r\nThe malware then attempts to use a PPL abuse technique documented by Zero Salarium in August 2025. The article’s PoC\r\ntargets Microsoft Defender only. Note that all of the system commands executed are through cmd.exe with the\r\nShellExecuteW API\r\nIt searches for Microsoft Defender's installation folder under C:\\ProgramData\\Microsoft\\Windows\r\nDefender\\Platform\\* , targeting only the directory with the most recent modification date, which indicates the\r\ncurrently used version\r\nCreate a folder C:\\ProgramData\\roming and a directory link with mklink to point to the directory found with the\r\nfollowing command: cmd.exe /c mklink /D \"C:\\ProgramData\\roming\" “C:\\ProgramData\\Microsoft\\Windows\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 13 of 26\n\nDefender\\Platform\\4.18.25050.5-0”\r\nIt then runs C:\\Windows\\System32\\ClipUp.exe with the following parameter: -ppl\r\nC:\\ProgramData\\roming\\MsMpEng.exe , which overwrites MsMpEng.exe with junk data, effectively disabling the EDR\r\neven after a restart\r\nThe author appears to have copied code from EDR-Freeze to start ClipUp.exe .\r\nCiPolicies\r\nThe malware directly targets Windows Defender Application Control (WDAC) by writing a policy file to the path\r\nC:\\\\Windows\\\\System32\\\\CodeIntegrity\\\\CiPolicies\\\\Active\\\\{31351756-3F24-4963-8380-4E7602335AAE}.cip .\r\nWrite policy to disk\r\nThe malicious policy operates in a “deny-list” mode, allowing most applications to run while explicitly blocking two\r\npopular Chinese antivirus vendors:\r\nQihoo 360 Total Security by blocking 360rp.exe and 360sd.exe\r\nHuorong Security by blocking ARPProte.exe\r\nAll executables signed by Huorong Security ( 北京火绒网络科技有限公司 ) via certificate TBS hash\r\nA229D2722BC6091D73B1D979B81088C977CB028A6F7CBF264BB81D5CC8F099F87D7C296E48BF09D7EBE275F5498661A4\r\nA critical component is the Enabled:Unsigned System Integrity Policy rule, which allows the policy to be loaded\r\nwithout a valid digital signature.\r\nTruncated...\r\n \u003cRule\u003e\r\n \u003cOption\u003eEnabled:Inherit Default Policy\u003c/Option\u003e\r\n \u003c/Rule\u003e\r\n \u003cRule\u003e\r\n \u003cOption\u003eEnabled:Unsigned System Integrity Policy\u003c/Option\u003e\r\n \u003c/Rule\u003e\r\n \u003cRule\u003e\r\n \u003cOption\u003eEnabled:Advanced Boot Options Menu\u003c/Option\u003e\r\n \u003c/Rule\u003e\r\n \u003cRule\u003e\r\n \u003cOption\u003eEnabled:Update Policy No Reboot\u003c/Option\u003e\r\n \u003c/Rule\u003e\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 14 of 26\n\nFileRules\u003e ...Truncated\nStage 3 - goldendays.dll\nIn the previous stage, RONINGLOADER creates a new service named MicrosoftSoftware2ShadowCop4yProvider to run\nthe next stage of execution with the following command: regsvr32.exe /S \"C:\\ProgramData\\Roning\\goldendays.dll .\nCreate MicrosoftSoftware2ShadowCop4yProvider service\nThe primary goal of this component is to inject the next payload into a legitimate, high-privilege system process to\ncamouflage its activities.\nTo achieve this, RONINGLOADER first identifies a suitable target process. It has a hardcoded list of two service names that\nit attempts to start sequentially:\n1. TrustedInstaller ( TrustedInstaller.exe )\n2. MicrosoftEdgeElevationService ( elevation_service.exe )\nhttps://www.elastic.co/security-labs/roningloader\nPage 15 of 26\n\nThe malware iterates through this list, attempting to start each service. Once a service is successfully started, or if one is\r\nfound already running, the malware saves its Process ID (PID) for the injection phase.\r\nStart both TrustedInstaller and MicrosoftEdgeElevationService services\r\nNext, the malware establishes persistence by creating a batch file with a random name within the C:\\Windows\\ directory\r\n(e.g., C:\\Windows\\KPeYvogsPm.bat ). The script inside this file runs a continuous loop with the following logic:\r\nIt checks if the captured PID of the trusted service (e.g., PID 4016 for TrustedInstaller.exe ) is still running\r\nIf the service is not running, the script restarts the previously created malicious service\r\n( MicrosoftSoftware2ShadowCop4yProvider ) to ensure the malware's components remain active\r\nIf the service process is running, the script sleeps for 10 seconds before checking again\r\nBatch file content\r\nFinally, the malware reads the contents of C:\\ProgramData\\Roning\\trustinstaller.bin . Using the PID of the trusted\r\nservice it acquired earlier, it injects this payload into the target process ( TrustedInstaller.exe or\r\nelevation_service.exe ). The injection method is straightforward: it performs a remote virtual allocation with\r\nVirtualAllocEx , writes to it with WriteProcessMemory , and then creates a remote thread to execute it with\r\nCreateRemoteThread .\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 16 of 26\n\nRemote process injection\r\nStage 3 - trustinstaller.bin\r\nThe third stage, contained within trustinstaller.bin , is responsible for injecting the final payload into a legitimate\r\nprocess. It starts by enumerating running processes and searching for a target by matching process names against a\r\nhardcoded list of potential processes.\r\nList of process options to inject the payload into\r\nWhen found, it will inject the shellcode into C:\\ProgramData\\Roning\\Enpug.bin , which is the final payload. It will create a\r\nsection with NtCreateSection , map a view of it in the remote process with NtMapViewOfSection , and write the payload to\r\nit. Then it will create a remote thread with CreateRemoteThread .\r\nMaps section view in the remote process\r\nStage 4 - Final Payload\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 17 of 26\n\nThe final payload has not undergone major changes since Sophos’s discovery of a DragonBreath campaign in 2023 and\r\nQianXin’s report in mid-2022. It is still a modified version of the open-source gh0st RAT.\r\nIn the more recent campaigns, a mutex of value Global\\DHGGlobalMutex is created at the very beginning of execution.\r\nOutside the main C2 communication loop, dead code is observed creating a mutex named MyUniqueMutexName and\r\nimmediately destroying it afterward.\r\nMutex value MyUniqueMutexName within dead code\r\nThe C2 domain and port remain hardcoded but are now XOR-encrypted. The C2 channel operates over raw TCP sockets\r\nwith messages encrypted in both directions.\r\nC2 domain and port XOR decoded\r\nVictim Beacon Data\r\nThe implant checks in with the C2 server and repeatedly beacons to the C2 at random intervals, implemented through\r\nSleep(\u003crandom_amount\u003e * 1000) . Below is the structure for the data that the implant returns to the C2 server during the\r\nbeaconing interval:\r\nstruct BeaconData {\r\n // +0x000\r\n uint32_t message_type; // Example Beacon ID - 0xC8 (200)\r\n // +0x004\r\n uint32_t local_ip; // inet_addr() of victim's IP\r\n // +0x008\r\n char hostname[50]; // Computer name or registry \"Remark\"\r\n // +0x03A\r\n char windows_version[?]; // OS version info\r\n // +0x0D8\r\n char cpu_name[64]; // Processor name\r\n // +0x118\r\n uint32_t entry_rdx;\r\n // +0x11C\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 18 of 26\n\nchar time_value[64]; // Implant installed time or registry \"Time\" value\r\n // +0x15C\r\n char victim_tag[39]; // Command 6 buffer (Custom victim tag)\r\n // +0x183\r\n uint8_t is_wow64; // 1 if 32-bit on 64-bit Windows\r\n // +0x184\r\n char av_processes_found[128]; // Antivirus processes found\r\n // +0x204\r\n char uptime[12]; // System uptime\r\n char padding[52];\r\n // +0x244\r\n char crypto_wallet_track[64]; // \"狐狸系列\" (MetaMask) or registry \"ZU\" (crypto related tracking)\r\n // +0x284\r\n uint8_t is_admin; // 1 if running with admin rights\r\n // +0x285\r\n char data[?];\r\n // +0x305\r\n uint8_t telegram_installed; // 1 if Telegram installed\r\n // +0x306\r\n uint8_t telegram_running; // 1 if Telegram.exe running\r\n // +0x307\r\n // (padding to 0x308 bytes)\r\n};\r\nC2 commands\r\nRequest messages sent from the C2 server to the implant follow the structure:\r\nstruct C2_to_implant_msg {\r\n uint32_t total_message_len;\r\n uint32_t RC4_key;\r\n char encrypted_command_id;\r\n uint8_t encrypted_command_args;\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 19 of 26\n\n};\r\nThe implant decrypts C2 messages through the following formula:\r\nRC4_decrypt(ASCII(decimal(RC4_key)), encrypted_command_id || command)\r\nBelow is a list of available commands that, for the most part, remain the same as 2 years ago:\r\nCommand ID Description\r\n0 ExitWindowsEx via a supplied EXIT_WINDOWS_FLAGS\r\n1 Terminate implant gracefully\r\n2 Set registry key Enable to False to terminate \u0026 disable implant persistently\r\n3 Set registry key Remark for custom victim renaming (default value: hostname)\r\n4 Set registry key ZU for MetaMask / crypto-related tagging\r\n5 Clear Windows Event logs (Application, Security, System)\r\n6 Set additional custom tags when client beacons\r\n7 Download and execute file via supplied URL\r\n9 ShellExecute (visible window)\r\n10 ShellExecute (hidden window)\r\n112 Get clipboard data\r\n113 Set clipboard data\r\n125 ShellExecute cmd.exe with command parameters (hidden window)\r\n126 Execute payload by dropping to disk or reflectively load and execute PluginMe export\r\n128\r\nFirst option - open a new session with a supplied C2 domain, port, and beacon interval. Second\r\noption - set registry key CopyC to update C2 domain and port permanently. Stored encrypted via\r\nBase64Encode(XOR(C2_domain_and_port, 0x5)) .\r\n241 Check if Telegram is installed and/or running\r\n243 Configure Clipboard Hijacker\r\n101 , 127 ,\r\n236 , [...]\r\nCustom shellcode injection into svchost.exe using WTS session token impersonation, falling back\r\nto CREATE_SUSPENDED process injection via CreateRemoteThread\r\nAnalyst note: There are multiple command IDs that point to the same command. We used an ellipsis to identify\r\nwhen this was observed.\r\nSystem Logger\r\nIn addition to the C2 commands, the implant implements a keystroke, clipboard, and active-window logger. Captured data is\r\nwritten to %ProgramData%\\microsoft.dotnet.common.log and can be enabled or disabled via a registry key at\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 20 of 26\n\nHKEY_CURRENT_USER\\offlinekey\\open ( 1 to enable, 0 to disable). The log file implements automatic rotation, deleting\r\nitself when it exceeds 50 MB to avoid detection through excessive disk usage.\r\nThe code snippet below demonstrates the initialization routine that implements log rotation and configures a DirectInput8\r\ninterface to acquire the keyboard device for event capture, followed by the keyboard event retrieval logic.\r\nLog rotation and keylogger initialization\r\nKeyboard event retrieval\r\nThe malware then enters a monitoring loop to capture three categories of information.\r\nFirst, it monitors the clipboard using OpenClipboard and GetClipboardData , logging any changes to text content\r\nwith the prefix [剪切板:] .\r\nSecond, it tracks window focus changes via GetForegroundWindow , logging the active window title and timestamp\r\nwith the prefixes [标题:] and [时间:] , respectively, whenever the user switches applications.\r\nThird, it retrieves buffered keyboard events from the DirectInput8 device (up to 60 events per poll) and translates\r\nthem into readable text through a character mapping table, prepending the results with a prefix [内容:] .\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 21 of 26\n\nExample captured content in microsoft.dotnet.common.log\r\nClipboard Hijacker\r\nThe malware also implements a clipboard hijacker that is remotely configured through C2 command ID 243. It monitors\r\nclipboard changes and performs search-and-replace operations on captured text, substituting attacker-defined strings with\r\nreplacement values. Configuration parameters are stored in the registry under HKEY_CURRENT_USER\\offlinekey with keys\r\nclipboard (enable/disable feature), charac (search string), characLen (search length), and newcharac (replacement\r\nstring).\r\nClipboard hijacker setup through C2 command\r\nIt registers a window class named ClipboardListener_Class_Toggle and creates a hidden window titled\r\nClipboardMonitor to receive clipboard change notifications. The window procedure handles WM_CLIPBOARDUPDATE\r\n( 0x31D ) messages by verifying clipboard sequence numbers with GetClipboardSequenceNumber to detect genuine\r\nchanges, then invoking the core manipulation routine, which swaps the clipboard content via EmptyClipboard and\r\nSetClipboardData .\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 22 of 26\n\nClipboardMonitor setup, responsible for the actual clipboard swap\r\nMalware and MITRE ATT\u0026CK\r\nElastic uses the MITRE ATT\u0026CK framework to document common tactics, techniques, and procedures that advanced\r\npersistent threats use against enterprise networks.\r\nTactics\r\nTactics represent the why of a technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an\r\naction.\r\nExecution\r\nPersistence\r\nPrivilege Escalation\r\nDefense Evasion\r\nCredential Access\r\nDiscovery\r\nCollection\r\nCommand and Control\r\nTechniques\r\nTechniques represent how an adversary achieves a tactical goal by performing an action.\r\nCommand and Scripting Interpreter: Windows Command Shell\r\nSystem Services: Service Execution\r\nCreate or Modify System Process: Windows Service\r\nAbuse Elevation Control Mechanism: Bypass User Account Control\r\nAccess Token Manipulation\r\nImpair Defenses: Disable or Modify Tools\r\nImpair Defenses: Disable or Modify System Firewall\r\nIndicator Removal: Clear Windows Event Logs\r\nHijack Execution Flow: DLL Side-Loading\r\nProcess Injection\r\nMasquerading: Match Legitimate Name or Location\r\nModify Registry\r\nSubvert Trust Controls: Code Signing Policy Modification\r\nInput Capture: Keylogging\r\nClipboard Data\r\nProcess Discovery\r\nSystem Information Discovery\r\nSystem Owner/User Discovery\r\nSoftware Discovery: Security Software Discovery\r\nNon-Application Layer Protocol\r\nEncrypted Channel: Symmetric Cryptography\r\nMitigations\r\nDetection\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 23 of 26\n\nPotential Evasion via ClipUp Execution\r\nSuspicious Remote Memory Allocation\r\nPotential Suspended Process Code Injection\r\nRemote Memory Write to Trusted Target Process\r\nRemote Process Memory Write by Low Reputation Module\r\nProcess Memory Write to a Non Child Process\r\nUnbacked Shellcode from Unsigned Module\r\nUAC Bypass Attempt via WOW64 Logger DLL Side-Loading\r\nNetwork Connect API from Unbacked Memory\r\nRundll32 or Regsvr32 Loaded a DLL from Unbacked Memory\r\nNetwork Module Loaded from Suspicious Unbacked Memory\r\nYARA\r\nElastic Security has created YARA rules to identify this activity. Below are YARA rules to identify RONINGLOADER and\r\nthe final implant:\r\nWindows.Trojan.RoningLoader\r\nWindows.Trojan.DragonBreath\r\nObservations\r\nThe following observables were discussed in this research.\r\nObservable Type Name Reference\r\nda2c58308e860e57df4c46465fd1cfc68d41e8699b4871e9a9be3c434283d50b\r\nSHA-256\r\nklklznuah.msi\r\nInitial MSI\r\ninstaller\r\n82794015e2b40cc6e02d3c1d50241465c0cf2c2e4f0a7a2a8f880edaee203724\r\nSHA-256\r\nSnieoatwtregoable.exe\r\nMalicious\r\ninstaller\r\nunpacked\r\nfrom initia\r\ninstaller\r\nc65170be2bf4f0bd71b9044592c063eaa82f3d43fcbd8a81e30a959bcaad8ae5\r\nSHA-256\r\nSnieoatwtregoable.dll\r\nStage 1 -\r\nloader for\r\nstage 2\r\n2515b546125d20013237aeadec5873e6438ada611347035358059a77a32c54f5\r\nSHA-256\r\nollama.sys\r\nStage 2 -\r\ndriver for\r\nprocess\r\ntermination\r\n1613a913d0384cbb958e9a8d6b00fffaf77c27d348ebc7886d6c563a6f22f2b7\r\nSHA-256\r\ntp.png\r\nStage 2 -\r\nencrypted\r\ncore\r\npayload\r\n395f835731d25803a791db984062dd5cfdcade6f95cc5d0f68d359af32f6258d SHA-2561.bat Stage 2 -\r\nUAC\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 24 of 26\n\nObservable Type Name Reference\r\nbypass\r\nscript\r\n1c1528b546aa29be6614707cbe408cb4b46e8ed05bf3fe6b388b9f22a4ee37e2\r\nSHA-256\r\nfhq.bat\r\nStage 2 -\r\nscript to\r\nblock\r\nnetworking\r\nfor AV\r\nprocesses\r\n4d5beb8efd4ade583c8ff730609f142550e8ed14c251bae1097c35a756ed39e6\r\nSHA-256\r\n1.dll\r\nStage 2 -\r\nAV\r\nprocesses\r\ntermination\r\n96f401b80d3319f8285fa2bb7f0d66ca9055d349c044b78c27e339bcfb07cdf0\r\nSHA-256\r\n{31351756-3F24-4963-\r\n8380-\r\n4E7602335AAE}.cip\r\nStage 2 -\r\nWDAC\r\npolicy\r\n33b494eaaa6d7ed75eec74f8c8c866b6c42f59ca72b8517b3d4752c3313e617c\r\nSHA-256\r\ngoldendays.dll\r\nStage 3 -\r\nentry point\r\nfc63f5dfc93f2358f4cba18cbdf99578fff5dac4cdd2de193a21f6041a0e01bc\r\nSHA-256\r\ntrustinstaller.bin\r\nStage 3 -\r\nloader for\r\nEnpug.bin\r\nfd4dd9904549c6655465331921a28330ad2b9ff1c99eb993edf2252001f1d107\r\nSHA-256\r\nEnpug.bin\r\nStage 3 -\r\nloader for\r\nfinal\r\npayload\r\n3dd470e85fe77cd847ca59d1d08ec8ccebe9bd73fd2cf074c29d87ca2fd24e33\r\nSHA-256\r\n6uf9i.exe\r\nStage 4 -\r\nfinal\r\npayload\r\nqaqkongtiao[.]com\r\ndomain-name\r\nStage 4 -\r\nfinal\r\npayload C2\r\nReferences\r\nThe following were referenced throughout the above research:\r\nhttps://nsis.sourceforge.io/Main_Page\r\nhttps://learn.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service\r\nhttps://github.com/Jemmy1228/HookSigntool\r\nhttps://www.safebreach.com/blog/process-injection-using-windows-thread-pools/\r\nhttps://hijacklibs.net/entries/microsoft/built-in/wow64log.html\r\nhttps://en.wikipedia.org/wiki/Fowler%E2%80%93Noll%E2%80%93Vo_hash_function\r\nhttps://www.zerosalarium.com/2025/08/countering-edrs-with-backing-of-ppl-protection.html\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 25 of 26\n\nhttps://github.com/TwoSevenOneT/EDR-Freeze/blob/ceffd5ea7b813b356c77d469561dbb5ee45aeb24/PPLHelp.cpp#L43\r\nhttps://news.sophos.com/en-us/2023/05/03/doubled-dll-sideloading-dragon-breath/\r\nhttps://ti.qianxin.com/blog/articles/operation-dragon-breath-%28apt-q-27%29-dimensionality-reduction-blow-to-the-gambling-industry/\r\nhttps://github.com/sin5678/gh0st\r\nSource: https://www.elastic.co/security-labs/roningloader\r\nhttps://www.elastic.co/security-labs/roningloader\r\nPage 26 of 26",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.elastic.co/security-labs/roningloader"
	],
	"report_names": [
		"roningloader"
	],
	"threat_actors": [
		{
			"id": "5abbd961-c51b-45e2-9632-e94e48a051b0",
			"created_at": "2026-01-22T02:00:03.673383Z",
			"updated_at": "2026-04-10T02:00:03.924422Z",
			"deleted_at": null,
			"main_name": "DragonBreath",
			"aliases": [
				"Golden Eye Dog",
				"APT-Q-27,"
			],
			"source_name": "MISPGALAXY:DragonBreath",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434683,
	"ts_updated_at": 1775792243,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2b9bf64ef56d84b26b9b0ba137847ea1887823ff.pdf",
		"text": "https://archive.orkl.eu/2b9bf64ef56d84b26b9b0ba137847ea1887823ff.txt",
		"img": "https://archive.orkl.eu/2b9bf64ef56d84b26b9b0ba137847ea1887823ff.jpg"
	}
}