Dragon Breath Campaign Trio and Campaign Chorus brand-impersonation Gh0st RAT campaign
Campaign
Summary
Hide ▲
Show ▼
Dragon Breath's Campaign Trio and Campaign Chorus are using trojanized NSIS installers to deliver Gh0st RAT to Chinese-speaking users, widening the risk of remote compromise through trusted-brand lures. The operation spans over 2,000 domains and 40+ app lures, showing a broad and evolving delivery footprint. The newer wave adds intermediary redirection domains and public cloud buckets to fetch payload archives, increasing resilience and reach.
Related Happenings
Nimbus Manticore multi-wave aviation and software phishing and SEO poisoning campaign
Campaign
First: 26.05.2026 10:13
Last: 26.05.2026 10:13
Sources 1
About this happening:
Nimbus Manticore's **February-April 2026** campaign widened into **multi-wave phishing and SEO poisoning**, increasing risk to organizations in the **U.S., Europe, and the Middle...
Nimbus Manticore multi-wave aviation and software phishing and SEO poisoning campaign
CampaignAbout this happening: Nimbus Manticore's **February-April 2026** campaign widened into **multi-wave phishing and SEO poisoning**, increasing risk to organizations in the **U.S., Europe, and the Middle...
Versa Networks launches Secure Enterprise Browser to extend SASE policies into the browser workspace
Security Tool/Service
First: 22.05.2026 18:43
Last: 22.05.2026 18:43
Sources 1
About this happening:
Versa Networks **released** a **Secure Enterprise Browser** that extends **SASE policies** directly into the **browser workspace**, giving the company a browser-level control poin...
Versa Networks launches Secure Enterprise Browser to extend SASE policies into the browser workspace
Security Tool/ServiceAbout this happening: Versa Networks **released** a **Secure Enterprise Browser** that extends **SASE policies** directly into the **browser workspace**, giving the company a browser-level control poin...
Akamai acquires LayerX for secure enterprise browser expansion
Industry Action
First: 22.05.2026 18:43
Last: 22.05.2026 18:43
Sources 1
About this happening:
Akamai Technologies agreed to acquire **LayerX** for **$205 million**, expanding its **secure enterprise browser** and **ZTNA** capabilities. The move gives Akamai a browser-layer...
Akamai acquires LayerX for secure enterprise browser expansion
Industry ActionAbout this happening: Akamai Technologies agreed to acquire **LayerX** for **$205 million**, expanding its **secure enterprise browser** and **ZTNA** capabilities. The move gives Akamai a browser-layer...
EvilTokens PhaaS scales device code phishing for low-skilled cybercriminals
Threat Actor Meta
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
**EvilTokens** is turning **device code phishing** into a **phishing-as-a-service** market, expanding access for **low-skilled cybercriminals** and accelerating competition among...
EvilTokens PhaaS scales device code phishing for low-skilled cybercriminals
Threat Actor MetaAbout this happening: **EvilTokens** is turning **device code phishing** into a **phishing-as-a-service** market, expanding access for **low-skilled cybercriminals** and accelerating competition among...
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
Campaign
First: 23.03.2026 20:09
Last: 23.03.2026 20:09
Sources 1
About this happening:
A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
CampaignAbout this happening: A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
Timeline
-
17.11.2025 13:20 2 articles · 6mo ago
Dragon Breath Campaign Trio and Campaign Chorus brand-impersonation Gh0st RAT campaign
Initial Disclosure**Campaign Trio** in **February-March 2025** used **i4tools, Youdao, and DeepSeek** impersonation across **2,000+ domains** to seed trojanized installers. That initial wave established the brand-lure model later expanded by **Campaign Chorus**.
Show sources
- Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT — thehackernews.com — 17.11.2025 13:20
- Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT — thehackernews.com — 17.11.2025 13:20