RONINGLOADER: DragonBreath’s New Path to PPL Abuse

Elastic Security Labs documents a sophisticated, active multi-stage campaign attributed to DragonBreath (APT-Q-27) deploying a modified gh0st RAT via trojanized NSIS installers. The loader, named RONINGLOADER, employs a signed kernel driver to terminate security processes, abuses Protected Process Light (PPL) to disable Microsoft Defender, writes an unsigned WDAC policy to block Chinese AV products, uses advanced injection techniques (thread-pool remote execution, section mapping), and deploys a final RAT with keylogging, clipboard hijacking, and remote command capabilities; the report includes extensive IOCs, YARA rules, and detection/mitigation notes.