The Dragon Breath threat actor uses sophisticated multi-stage loaders and Trojanized installers to deliver Gh0st RAT targeting Chinese-speaking users. Their campaigns evolve by employing complex infection chains and legitimate software to evade security defenses. #DragonBreath #Gh0stRAT #APTQ27 #MiuutiGroup
Keypoints
- Dragon Breath is active since at least 2020 and linked to the Miuuti Group targeting Asian regions.
- The threat actor employs trojanized installers masquerading as legitimate applications like Chrome and Teams.
- They use multi-stage loaders like RONINGLOADER to bypass security tools and elevate privileges.
- The campaigns feature large-scale brand impersonation, mimicking popular Chinese applications.
- Final payloads include a modified Gh0st RAT capable of keylogging, command execution, and system control.
Read More: https://thehackernews.com/2025/11/dragon-breath-uses-roningloader-to.html