New RoningLoader Campaign Uses DLL Side-Loading and Code Injection to Evade Detection

A threat actor known as DragonBreath has launched a stealthy campaign using a multi-stage malware loader called RoningLoader. The malware targets Chinese-speaking users by disguising itself as trusted software such as Google Chrome and Microsoft Teams.

Its core strength lies in a layered approach to avoiding detection — combining DLL side-loading, code injection, and signed kernel drivers to disable security tools silently.

RoningLoader first appeared in threat intelligence reports in November 2025, when Elastic Security Labs documented its use against users running Chinese endpoint detection tools.

The malware spreads through trojanized NSIS installers — a legitimate installer framework that threat actors frequently abuse. When a victim opens one of these fake installers, it silently drops a malicious DLL and an encrypted file disguised as a PNG image.

That encrypted file carries shellcode that launches the next stage of the attack entirely in memory, leaving fewer traces on disk.

AttackIQ researchers identified the full scope of RoningLoader’s post-compromise behavior, mapping it against the MITRE ATT&CK framework.

The team released an emulation-based attack graph mirroring the tactics, techniques, and procedures used by DragonBreath during this campaign.

Their findings revealed a threat that is technically sophisticated and deliberately redundant — built to keep running even if one layer of evasion fails.

The impact of this campaign goes beyond simply loading malware. RoningLoader actively disables security products including Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security.

It uses a legitimately signed kernel driver to kill these processes at the kernel level, bypassing normal user-mode protections entirely.

At the final stage, the attacker deploys a modified version of gh0st RAT, granting full remote access to the infected system for data theft, lateral movement, and long-term espionage.

DragonBreath, also tracked as APT-Q-27, has been active since at least 2020 and is linked to attacks on online gaming and gambling industries.

Its targets span China, Taiwan, Hong Kong, Japan, Singapore, and the Philippines. The group has steadily sharpened its methods, and RoningLoader stands as its most technically capable campaign to date.

One of the most striking features of RoningLoader is how it chains multiple evasion techniques so that each layer backs up the next. This redundancy is intentional — if one method fails, the malware still has several others to fall back on.

The attack begins when the trojanized NSIS installer executes on the victim’s machine. It drops both a legitimate application and a hidden malicious binary side by side. The real software runs normally in the foreground while the malware executes quietly in the background.

This twin-installation technique keeps the user unsuspecting and makes the initial infection very hard to notice.

RoningLoader then performs DLL side-loading (T1574.002), tricking a trusted Windows executable into loading a rogue DLL in its place. Because the DLL runs under a signed and trusted process, most security tools treat it as normal.

The malware then injects code into regsvr32.exe — a native Windows utility — using CreateRemoteThread and LoadLibrary (T1055.001), pushing execution into high-privilege processes like TrustedInstaller.exe to conceal its activity further.

To gain elevated access, the malware enables SeDebugPrivilege through the AdjustTokenPrivilege API, allowing it to interact with protected processes it would normally be blocked from accessing.

It also disables User Account Control by modifying the Windows registry, stripping away a standard system defense.

RoningLoader then uses CreateToolhelp32Snapshot along with Process32FirstW and Process32NextW to scan all running processes, locate active antivirus tools, and shut them down before the final gh0st RAT payload is released.

Security teams should monitor for unusual DLL loads from trusted Windows executables and flag regsvr32.exe launching without direct user action.

Setting alerts on UAC registry modifications, unexpected service creation, and token changes is also strongly recommended.

Running regular security control validation against RoningLoader’s documented TTPs through adversarial emulation will help defenders find and close gaps before a real attack takes place.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.