Dragon Breath Campaign Trio and Campaign Chorus brand-impersonation Gh0st RAT campaign
Campaign
Summary
Hide ▲
Show ▼
Dragon Breath's Campaign Trio and Campaign Chorus are using trojanized NSIS installers to deliver Gh0st RAT to Chinese-speaking users, widening the risk of remote compromise through trusted-brand lures. The operation spans over 2,000 domains and 40+ app lures, showing a broad and evolving delivery footprint. The newer wave adds intermediary redirection domains and public cloud buckets to fetch payload archives, increasing resilience and reach.
Related Happenings
Sniper Dz free PhaaS ecosystem rebranded to scale phishing operations
Threat Actor Meta
H score43
First: 12.06.2026 11:52
Last: 12.06.2026 11:52
Sources 1
About this happening:
A long-running **Sniper Dz** ecosystem operated as a **free phishing-as-a-service (PhaaS)** platform that repeatedly rebranded, lowering the barrier for large-scale credential the...
Sniper Dz free PhaaS ecosystem rebranded to scale phishing operations
Threat Actor MetaAbout this happening: A long-running **Sniper Dz** ecosystem operated as a **free phishing-as-a-service (PhaaS)** platform that repeatedly rebranded, lowering the barrier for large-scale credential the...
Latest development: 15.06.2026 09:30
Fraudulent Facebook accounts impersonating politicians, public figures, and trusted organizations targeted users across the Middle East and North Africa with fake offers for free mobile internet packages, financial compensation, and government subsidy programs, then routed victims through Linkbio and Linktree decoy pages into Sniper Dz phishing and traffic monetization infrastructure that abuses browser notification permissions, back-button hijacking, tab-under redirections, premium SMS subscriptions, premium-rate calls, and investment scams.
Nimbus Manticore multi-wave aviation and software phishing and SEO poisoning campaign
Campaign
H score36
First: 26.05.2026 10:13
Last: 26.05.2026 10:13
Sources 1
About this happening:
Nimbus Manticore's **February-April 2026** campaign widened into **multi-wave phishing and SEO poisoning**, increasing risk to organizations in the **U.S., Europe, and the Middle...
Nimbus Manticore multi-wave aviation and software phishing and SEO poisoning campaign
CampaignAbout this happening: Nimbus Manticore's **February-April 2026** campaign widened into **multi-wave phishing and SEO poisoning**, increasing risk to organizations in the **U.S., Europe, and the Middle...
Versa Networks launches Secure Enterprise Browser to extend SASE policies into the browser workspace
Security Tool/Service
H score10
First: 22.05.2026 18:43
Last: 22.05.2026 18:43
Sources 1
About this happening:
Versa Networks **released** a **Secure Enterprise Browser** that extends **SASE policies** directly into the **browser workspace**, giving the company a browser-level control poin...
Versa Networks launches Secure Enterprise Browser to extend SASE policies into the browser workspace
Security Tool/ServiceAbout this happening: Versa Networks **released** a **Secure Enterprise Browser** that extends **SASE policies** directly into the **browser workspace**, giving the company a browser-level control poin...
Akamai acquires LayerX for secure enterprise browser expansion
Industry Action
H score13
First: 22.05.2026 18:43
Last: 22.05.2026 18:43
Sources 1
About this happening:
Akamai Technologies agreed to acquire **LayerX** for **$205 million**, expanding its **secure enterprise browser** and **ZTNA** capabilities. The move gives Akamai a browser-layer...
Akamai acquires LayerX for secure enterprise browser expansion
Industry ActionAbout this happening: Akamai Technologies agreed to acquire **LayerX** for **$205 million**, expanding its **secure enterprise browser** and **ZTNA** capabilities. The move gives Akamai a browser-layer...
EvilTokens PhaaS scales device code phishing for low-skilled cybercriminals
Threat Actor Meta
H score32
First: 04.04.2026 17:17
Last: 04.04.2026 17:17
Sources 1
About this happening:
**EvilTokens** is turning **device code phishing** into a **phishing-as-a-service** market, expanding access for **low-skilled cybercriminals** and accelerating competition among...
EvilTokens PhaaS scales device code phishing for low-skilled cybercriminals
Threat Actor MetaAbout this happening: **EvilTokens** is turning **device code phishing** into a **phishing-as-a-service** market, expanding access for **low-skilled cybercriminals** and accelerating competition among...
Timeline
-
17.11.2025 13:20 2 articles · 7mo ago
Dragon Breath Campaign Trio and Campaign Chorus brand-impersonation Gh0st RAT campaign
Initial Disclosure**Campaign Trio** in **February-March 2025** used **i4tools, Youdao, and DeepSeek** impersonation across **2,000+ domains** to seed trojanized installers. That initial wave established the brand-lure model later expanded by **Campaign Chorus**.
Show sources
- Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT — thehackernews.com — 17.11.2025 13:20
- Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT — thehackernews.com — 17.11.2025 13:20