Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 3 actors

RoningLoader

RONINGLOADER is a multi-stage Windows malware loader identified by Elastic Security Labs in 2025 and used by the DragonBreath threat actor, also tracked as APT-Q-27 and Golden Eye Dog. It has been used in campaigns primarily targeting Chinese-speaking users and the gambling sector, with trojanized MSI and NSIS installers masquerading as legitimate software such as Google Chrome and Microsoft Teams. The infection chain drops a benign installer alongside malicious components, including a DLL and an encrypted file disguised as a PNG, then decrypts shellcode and executes later stages in memory.

The loader is designed with multiple defense-evasion and security-disruption layers. Reported behaviors include loading a fresh copy of ntdll.dll to avoid userland hooks, checking for administrative privileges and relaunching elevated via runas, enumerating security processes, disabling UAC, modifying firewall settings, creating services, and staging additional payloads under ProgramData and other directories. It abuses Protected Process Light (PPL) via ClipUp.exe to disable Microsoft Defender by corrupting MsMpEng.exe, uses phantom DLL side-loading, thread-pool-based process injection, and writes an unsigned WDAC policy that blocks Chinese security products including Qihoo 360 and Huorong. It also uses a legitimately signed kernel driver, ollama.sys, to terminate security processes associated with Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360.

RONINGLOADER establishes persistence through service creation and watchdog batch scripts, including execution of goldendays.dll via regsvr32.exe and subsequent injection into high-privilege processes such as TrustedInstaller.exe or MicrosoftEdgeElevationService. Later stages inject additional payloads using NtCreateSection, NtMapViewOfSection, CreateRemoteThread, VirtualAllocEx, and WriteProcessMemory.

The final payload delivered by RONINGLOADER is a modified version of the open-source gh0st RAT associated with DragonBreath. Reported capabilities of that payload include encrypted raw TCP command-and-control, beaconing, shell command execution, file download and execution, event log clearing, custom shellcode injection, keylogging, clipboard logging and hijacking, active-window logging, and process injection. High-confidence indicators mentioned in the content include the mutex Global\DHGGlobalMutex, logging to %ProgramData%\microsoft.dotnet.common.log, storage of clipboard hijacker settings under HKEY_CURRENT_USER\offlinekey, and a reported stage-4 C2 domain of qaqkongtiao[.]com. Elastic published YARA detections including Windows.Trojan.RoningLoader for this malware.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Dragon Breath

Through this report, we hope to raise awareness of new techniques this malware is starting to implement and to shine a light on a unique loader we are naming RoningLoader.

via elastic security labselastic.co
APT-Q-27

Through this report, we hope to raise awareness of new techniques this malware is starting to implement and to shine a light on a unique loader we are naming RoningLoader.

via elastic security labselastic.co
DragonBreath

A threat actor known as DragonBreath has launched a stealthy campaign using a multi-stage malware loader called RoningLoader.

via cyber security newscybersecuritynews.com
MITRE ATT&CK

Techniques & procedures

16 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

3 techniques
T1059.003Windows Command ShellEvidence1

Note that all of the system commands executed are through cmd.exe with the ShellExecuteW API

T1569.002Service ExecutionEvidence1

Create a service named xererre1 to load the driver dropped to disk ... A temporary service ( ollama ) is created to load ollama.sys into the kernel

T1574.001DLLEvidence1

The deployed DLL, 1.dll , is copied to C:\Windows\System32\Wow64\Wow64Log.dll to be side-loaded by any WOW64 processes, as Wow64Log.dll is a phantom DLL

Persistence

2 techniques
T1112Modify RegistryEvidence1

1.bat is a simple batch script that disables User Account Control (UAC) by setting the EnableLUA registry value to 0 ... Set registry key Enable to False to terminate & disable implant persistently ... Configuration parameters are stored in the registry under HKEY_CURRENT_USER\offlinekey

T1543.003Windows ServiceEvidence1

RONINGLOADER creates a new service named MicrosoftSoftware2ShadowCop4yProvider to run the next stage of execution

Privilege Escalation

5 techniques
T1055Process InjectionEvidence2

it calls a function to inject shellcode into the process ( vssvc.exe ) ... This technique leverages the thread pool to remotely execute code ... it injects another shellcode into svchost.exe ... writes to it with WriteProcessMemory , and then creates a remote thread to execute it with CreateRemoteThread

T1055.001Dynamic-link Library InjectionEvidence1

The malware then injects code into regsvr32.exe — a native Windows utility — using CreateRemoteThread and LoadLibrary (T1055.001), pushing execution into high-privilege processes like TrustedInstaller.exe to conceal its activity further.

T1134Access Token ManipulationEvidence1

It first grants itself the high integrity SeDebugPrivilege token.

T1543.003Windows ServiceEvidence1

RONINGLOADER creates a new service named MicrosoftSoftware2ShadowCop4yProvider to run the next stage of execution

T1548.002Bypass User Account ControlEvidence1

If not, it attempts to elevate its privileges by using the runas command to launch a new, elevated instance of itself ... 1.bat is a simple batch script that disables User Account Control (UAC) by setting the EnableLUA registry value to 0.

Stealth

5 techniques
T1036MasqueradingEvidence1

the malicious installers being distributed under various themes, masquerading as legitimate software such as Google Chrome, Microsoft Teams, or other trusted applications to lure users into executing them

T1055Process InjectionEvidence2

it calls a function to inject shellcode into the process ( vssvc.exe ) ... This technique leverages the thread pool to remotely execute code ... it injects another shellcode into svchost.exe ... writes to it with WriteProcessMemory , and then creates a remote thread to execute it with CreateRemoteThread

T1055.001Dynamic-link Library InjectionEvidence1

The malware then injects code into regsvr32.exe — a native Windows utility — using CreateRemoteThread and LoadLibrary (T1055.001), pushing execution into high-privilege processes like TrustedInstaller.exe to conceal its activity further.

T1134Access Token ManipulationEvidence1

It first grants itself the high integrity SeDebugPrivilege token.

T1574.001DLLEvidence1

The deployed DLL, 1.dll , is copied to C:\Windows\System32\Wow64\Wow64Log.dll to be side-loaded by any WOW64 processes, as Wow64Log.dll is a phantom DLL

Defense Impairment

2 techniques
T1112Modify RegistryEvidence1

1.bat is a simple batch script that disables User Account Control (UAC) by setting the EnableLUA registry value to 0 ... Set registry key Enable to False to terminate & disable implant persistently ... Configuration parameters are stored in the registry under HKEY_CURRENT_USER\offlinekey

T1553.006Code Signing Policy ModificationEvidence1

The malware directly targets Windows Defender Application Control (WDAC) by writing a policy file to the path C:\\Windows\\System32\\CodeIntegrity\\CiPolicies\\Active\\{31351756-3F24-4963-8380-4E7602335AAE}.cip ... Enabled:Unsigned System Integrity Policy rule, which allows the policy to be loaded without a valid digital signature.

Discovery

3 techniques
T1033System Owner/User DiscoveryEvidence1

If not, it attempts to elevate its privileges ... BeaconData { ... uint8_t is_admin ... }

T1057Process DiscoveryEvidence1

The malware then scans a list of running processes for specific antivirus solutions ... The third stage ... starts by enumerating running processes and searching for a target by matching process names against a hardcoded list

T1518.001Security Software DiscoveryEvidence1

The malware then scans a list of running processes for specific antivirus solutions. It checks against a hardcoded list of process names

Other

2 techniques
T1562.001Disable or Modify ToolsEvidence2

The malware employs an abuse of Protected Process Light (PPL) to disable Windows Defender ... threat actors leverage a valid, signed kernel driver to kill processes ... Custom unsigned WDAC policy applied to block 360 Total Security and Huorong executables

T1562.004Disable or Modify System FirewallEvidence1

First, it blocks all network communication by changing the firewall ... fhq.bat is another batch script that targets ... 360Safe.exe by creating firewall rules that block inbound and outbound connections to them. It also disables firewall notifications across all profiles.

INDICATORS OF COMPROMISE

IOCs tracked for this family

14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
13 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app8 months ago
hash.sha256●●●●●●●●●●●●View more in app8 months ago
hash.sha256●●●●●●●●●●●●View more in app8 months ago
hash.sha256●●●●●●●●●●●●View more in app8 months ago
hash.sha256●●●●●●●●●●●●View more in app8 months ago
hash.sha256●●●●●●●●●●●●View more in app8 months ago
ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app
cyber security newsNews
Apr 9, 2026
New RoningLoader Campaign Uses DLL Side-Loading and Code Injection to Evade Detection

A multi-stage malware loader delivered via trojanized NSIS installers. It uses DLL side-loading, in-memory shellcode execution, code injection, privilege escalation, UAC disabling, and a signed kernel driver to disable security tools before deploying a final payload.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Multi-stage loader used to disable security tools and deliver a modified Gh0st RAT payload.

Read more
securityaffairsNews
Nov 23, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 72

A loader associated with the DragonBreath actor, discussed in the context of abusing PPL (Protected Process Light) mechanisms.

Read more
risky biz rssNews
Nov 19, 2025
Risky Bulletin: Microsoft will integrate Sysmon into Windows

RONINGLOADER is a multi-stage loader used to deliver additional malware payloads, associated with financially motivated attacks against the gambling sector.

Read more
+4 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching14

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping16

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.