Threat Research

Emulating the Multi-Stage RoningLoader Malware

AttackIQ
Emulating the Multi-Stage RoningLoader Malware
DragonBreath (APT-Q-27) is a persistent, evolving threat actor targeting Chinese-speaking users with a modified variant of the open-source gh0st RAT and has focused on cryptocurrency-related and gaming VPN software since at least 2022. AttackIQ published a RoningLoader emulation in its AEV platform to reproduce the group’s post-compromise TTPs and help organizations validate detection, prevention, and continuous testing of security controls. #DragonBreath #RoningLoader

Keypoints

  • DragonBreath (APT-Q-27) has been active since at least 2022 and has shown increasing technical capability and adaptability through 2025.
  • The group distributes a modified variant of the open-source gh0st RAT and targets Chinese-speaking users, with interest in cryptocurrency-related software and gaming VPN tools.
  • AttackIQ released an emulation (RoningLoader – 2025-11) in its Adversarial Exposure Validation (AEV) Platform to replicate DragonBreath post-compromise behaviors.
  • The emulation covers multiple post-compromise tactics: Execution, Persistence, Privilege Escalation, Defense Evasion, and Discovery, with specific techniques mapped to ATT&CK IDs.
  • Key simulated techniques include StartServiceA/sc.exe service execution, CreateServiceA persistence, SeDebugPrivilege and token inspection for privilege escalation, DLL injection/side-loading and RegSvr32 for defense evasion, and process discovery via native APIs.
  • Organizations can use the emulation to evaluate security controls, continuously validate detection/prevention pipelines, and improve incident response and security posture against a stealthy adversary.

MITRE Techniques

  • [T1569.002 ] Service Execution – Simulates service execution to run adversary code or escalate privileges via service modification; (‘Service Execution Using “StartServiceA” (T1569.002): This scenario executes the StartServiceA Windows API to simulate service execution, which can also be used to escalate privileges from Administrator to SYSTEM by modifying an existing service.’)
  • [T1569.002 ] Service Execution (sc.exe) – Simulates use of the sc.exe utility to execute or modify services for persistence or escalation; (‘Service Execution using “sc.exe” (T1569.002): This scenario simulates service execution, which can also be used to escalate privileges from Administrator to SYSTEM by modifying an existing service.’)
  • [T1543.003 ] Create or Modify System Process (New Service) – Simulates creating a Windows service with CreateServiceA for persistence (demand start mode); (‘New! New Service using “CreateServiceA” (T1543.003): This scenario simulates the creation of a Windows service to help security analysts assess their ability to detect such events.’)
  • [T1134 ] Access Token Manipulation – Simulates enabling SeDebugPrivilege and inspecting token information via GetTokenInformation to escalate or assess privileges; (‘Enable “SeDebugPrivilege” Privilege via Native API (T1134): This scenario enables the SeDebugPrivilege privilege for the current process using the AdjustTokenPrivilege Windows API.’ and ‘Obtain System Token information via “GetTokenInformation” Windows API (T1134): This scenario simulates an inspection of the operating system’s access tokens via the GetTokenInformation Windows API call…’)
  • [T1055.001 ] Process Injection – DLL injection using CreateRemoteThread and LoadLibrary to inject adversary code into another process; (‘Code Injection via Load Library and Create Remote Thread (T1055.001): This scenario performs the injection of a Dynamic-link Library (DLL) into a process utilizing CreateRemoteThread and LoadLibrary.’)
  • [T1574.002 ] DLL Side-Loading – Uses a legitimate executable to load a malicious DLL to evade detection and run malicious code under a trusted parent process; (‘DLL Side-Loading (T1574.002): This scenario leverages a legitimate and trusted executable to load a malicious Dynamic-link Library (DLL).’)
  • [T1548.002 ] Bypass User Account Control – Disables UAC via the registry to reduce prompts and run elevated actions without user consent; (‘Disable UAC via Registry (T1548.002): This scenario disables the User Account Control (UAC) via the Windows registry.’)
  • [T1218.010 ] Signed Binary Proxy Execution (RegSvr32) – Executes a DLL through regsvr32 to run code via a native Windows binary as a parent process; (‘Execute DLL Through RegSvr32 (T1218.010): …This scenario executes RegSvr32 with an AttackIQ binary.’)
  • [T1057 ] Process Discovery – Uses CreateToolhelp32Snapshot and Process32First/Process32Next to enumerate running processes for discovery and targeting; (‘Process Discovery via Native API (T1057): This scenario executes the CreateToolhelp32SnapshotWindows native API call to retrieve a list of running processes, then iterates through each process object using Process32FirstW and Process32NextW.’)

Indicators of Compromise

  • [Malware/Tool ] Reported malicious tools and loaders – RoningLoader, modified gh0st RAT
  • [Windows Utilities ] Legitimate utilities abused for execution/evade detection – regsvr32.exe, sc.exe
  • [Artifacts/Binaries ] Examples of abused artifacts used in scenarios – malicious DLLs loaded via CreateRemoteThread/LoadLibrary and an “AttackIQ binary” used with RegSvr32

Read more: https://www.attackiq.com/2026/04/07/roningloader-malware/