DragonBreath APT Launches RoningLoader Malware Campaign Targeting Chinese Users

Severity: High (Score: 67.0)

Sources: Gbhackers, Cybersecuritynews

Summary

The DragonBreath group, also known as APT-Q-27, has initiated a new campaign utilizing RoningLoader malware, which employs advanced techniques such as DLL side-loading and code injection to evade security measures. This campaign primarily targets Chinese-speaking users by masquerading as legitimate applications like Google Chrome and Microsoft Teams. Active since at least 2022, DragonBreath has progressively enhanced its tactics, making detection increasingly difficult. The malware's multi-stage loader approach allows it to infiltrate systems without raising alarms. Reports indicate that the campaign has been linked to espionage activities, although specific numbers of affected users or systems have not been disclosed. The current status of the campaign suggests ongoing operations, with security firms monitoring its developments closely. Key Points: • DragonBreath APT is behind the RoningLoader malware campaign targeting Chinese-speaking users. • The malware uses DLL side-loading and code injection to bypass traditional security defenses. • RoningLoader disguises itself as trusted applications like Google Chrome and Microsoft Teams.

Key Entities

• DragonBreath (apt_group)
• Malware (attack_type)
• New RoningLoader Campaign (campaign)
• RoningLoader Campaign (campaign)
• Roningloader (malware)
• T1036 - Masquerading (mitre_attack)
• T1055 - Process Injection (mitre_attack)
• T1574 - Hijack Execution Flow (mitre_attack)
• Google Chrome (tool)
• Microsoft Teams (tool)