Date: 11/17/2025
Severity: High
Summary
RoningLoader is a new, advanced loader used in a recent DragonBreath (APT-Q-27) campaign that distributes a modified gh0st RAT through trojanized NSIS installers posing as legitimate apps like Chrome and Microsoft Teams. The infection chain uses multiple redundant evasion layers, including a signed kernel driver, custom WDAC policies, and Protected Process Light (PPL) abuse to disable Microsoft Defender. It also employs phantom DLLs and thread-pool–based injection to terminate security products—especially those popular in China. This campaign shows a clear evolution from earlier DragonBreath activity and highlights the group’s growing sophistication in defense evasion and payload delivery.
Indicators of Compromise (IOC) List
Urls/Domains | qaqkongtiao.com |
Hash | da2c58308e860e57df4c46465fd1cfc68d41e8699b4871e9a9be3c434283d50b
82794015e2b40cc6e02d3c1d50241465c0cf2c2e4f0a7a2a8f880edaee203724
c65170be2bf4f0bd71b9044592c063eaa82f3d43fcbd8a81e30a959bcaad8ae5
2515b546125d20013237aeadec5873e6438ada611347035358059a77a32c54f5
1613a913d0384cbb958e9a8d6b00fffaf77c27d348ebc7886d6c563a6f22f2b7
395f835731d25803a791db984062dd5cfdcade6f95cc5d0f68d359af32f6258d
1c1528b546aa29be6614707cbe408cb4b46e8ed05bf3fe6b388b9f22a4ee37e2
4d5beb8efd4ade583c8ff730609f142550e8ed14c251bae1097c35a756ed39e6
96f401b80d3319f8285fa2bb7f0d66ca9055d349c044b78c27e339bcfb07cdf0
33b494eaaa6d7ed75eec74f8c8c866b6c42f59ca72b8517b3d4752c3313e617c
fc63f5dfc93f2358f4cba18cbdf99578fff5dac4cdd2de193a21f6041a0e01bc
fd4dd9904549c6655465331921a28330ad2b9ff1c99eb993edf2252001f1d107
3dd470e85fe77cd847ca59d1d08ec8ccebe9bd73fd2cf074c29d87ca2fd24e33
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "qaqkongtiao.com" or siteurl like "qaqkongtiao.com" or url like "qaqkongtiao.com" |
Detection Query 2 : | sha256hash IN ("4d5beb8efd4ade583c8ff730609f142550e8ed14c251bae1097c35a756ed39e6","3dd470e85fe77cd847ca59d1d08ec8ccebe9bd73fd2cf074c29d87ca2fd24e33","1c1528b546aa29be6614707cbe408cb4b46e8ed05bf3fe6b388b9f22a4ee37e2","c65170be2bf4f0bd71b9044592c063eaa82f3d43fcbd8a81e30a959bcaad8ae5","2515b546125d20013237aeadec5873e6438ada611347035358059a77a32c54f5","395f835731d25803a791db984062dd5cfdcade6f95cc5d0f68d359af32f6258d","82794015e2b40cc6e02d3c1d50241465c0cf2c2e4f0a7a2a8f880edaee203724","da2c58308e860e57df4c46465fd1cfc68d41e8699b4871e9a9be3c434283d50b","fd4dd9904549c6655465331921a28330ad2b9ff1c99eb993edf2252001f1d107","fc63f5dfc93f2358f4cba18cbdf99578fff5dac4cdd2de193a21f6041a0e01bc","1613a913d0384cbb958e9a8d6b00fffaf77c27d348ebc7886d6c563a6f22f2b7","96f401b80d3319f8285fa2bb7f0d66ca9055d349c044b78c27e339bcfb07cdf0","33b494eaaa6d7ed75eec74f8c8c866b6c42f59ca72b8517b3d4752c3313e617c")
|
Reference:
https://www.elastic.co/security-labs/roningloader