Find notable cyber news and cases, enriched with sources, timelines, and signals.

RONINGLOADER multi-stage delivery of modified Gh0st RAT

Malware Activity
First reported
Last updated
Happening score
H score 24
1 unique sources, 1 articles

Summary

Hide ▲

RONINGLOADER is being used to deploy a modified Gh0st RAT, creating a multi-stage infection chain that raises the risk of payload execution and defense bypass on infected Windows hosts. The loader kills security processes, abuses PPL, and uses a signed driver and custom WDAC policies to weaken endpoint protection. The final RAT expands operator control with command execution, clipboard theft, and keystroke capture.

Related Happenings

GigaWiper / BLUERABBIT destructive Windows backdoor activity

Malware Activity
H score31 First: 09.07.2026 21:08 Last: 09.07.2026 21:08 Sources 1

About this happening: The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...

Millenium RAT Windows malware activity and native C++ rewrite

Malware Activity
H score62 First: 29.06.2026 17:30 Last: 29.06.2026 17:30 Sources 1

About this happening: The **Millenium RAT** malware activity is spreading across **Windows** systems, with **60,000+ infections** in **160+ countries** and a newer **native C++** build that helps it ev...

OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading

Malware Activity
H score20 First: 22.06.2026 16:20 Last: 22.06.2026 16:20 Sources 1

About this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...

Gentlemen ransomware EDR-killer tooling

Malware Activity
H score35 First: 19.06.2026 01:31 Last: 19.06.2026 01:31 Sources 1

About this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...

Potemkin loader delivering EtherRAT and RMMProject in memory

Malware Activity
H score29 First: 16.06.2026 20:41 Last: 16.06.2026 20:41 Sources 1

About this happening: The **Potemkin** loader is delivering **EtherRAT** and **RMMProject** to **Windows** systems, giving operators in-memory payload execution and **browser credential theft**. The lo...

Timeline

  1. 17.11.2025 13:20 2 articles · 7mo ago

    RONINGLOADER delivers modified Gh0st RAT through trojanized installers

    Technical Analysis Update

    Dragon Breath, also tracked as APT-Q-27 and Golden Eye, uses RONINGLOADER to deliver a modified Gh0st RAT to Chinese-speaking users through trojanized NSIS installers masquerading as Google Chrome and Microsoft Teams. The loader removes userland hooks, attempts privilege elevation, scans for Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security, terminates security processes, abuses PPL and WerFaultSecure.exe for EDR-Freeze, writes a malicious WDAC policy that blocks Qihoo 360 Total Security and Huorong Security, and launches the final payload through regsvr32.exe into high-privilege system processes.

    Show sources