RONINGLOADER multi-stage delivery of modified Gh0st RAT
Malware Activity
Summary
Hide ▲
Show ▼
RONINGLOADER is being used to deploy a modified Gh0st RAT, creating a multi-stage infection chain that raises the risk of payload execution and defense bypass on infected Windows hosts. The loader kills security processes, abuses PPL, and uses a signed driver and custom WDAC policies to weaken endpoint protection. The final RAT expands operator control with command execution, clipboard theft, and keystroke capture.
Related Happenings
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware Activity
H score31
First: 09.07.2026 21:08
Last: 09.07.2026 21:08
Sources 1
About this happening:
The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware ActivityAbout this happening: The **GigaWiper / BLUERABBIT** malware activity now combines **disk wiping**, **fake ransomware**, and **spyware backdoor** functions on **Windows**, increasing the chance that on...
Millenium RAT Windows malware activity and native C++ rewrite
Malware Activity
H score62
First: 29.06.2026 17:30
Last: 29.06.2026 17:30
Sources 1
About this happening:
The **Millenium RAT** malware activity is spreading across **Windows** systems, with **60,000+ infections** in **160+ countries** and a newer **native C++** build that helps it ev...
Millenium RAT Windows malware activity and native C++ rewrite
Malware ActivityAbout this happening: The **Millenium RAT** malware activity is spreading across **Windows** systems, with **60,000+ infections** in **160+ countries** and a newer **native C++** build that helps it ev...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware Activity
H score20
First: 22.06.2026 16:20
Last: 22.06.2026 16:20
Sources 1
About this happening:
The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware ActivityAbout this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
Gentlemen ransomware EDR-killer tooling
Malware Activity
H score35
First: 19.06.2026 01:31
Last: 19.06.2026 01:31
Sources 1
About this happening:
**Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
Gentlemen ransomware EDR-killer tooling
Malware ActivityAbout this happening: **Gentlemen ransomware-as-a-service (RaaS)** is actively maintaining a suite of **EDR killers** led by **GentleKiller** to disable endpoint defenses before encryption. ESET says t...
Potemkin loader delivering EtherRAT and RMMProject in memory
Malware Activity
H score29
First: 16.06.2026 20:41
Last: 16.06.2026 20:41
Sources 1
About this happening:
The **Potemkin** loader is delivering **EtherRAT** and **RMMProject** to **Windows** systems, giving operators in-memory payload execution and **browser credential theft**. The lo...
Potemkin loader delivering EtherRAT and RMMProject in memory
Malware ActivityAbout this happening: The **Potemkin** loader is delivering **EtherRAT** and **RMMProject** to **Windows** systems, giving operators in-memory payload execution and **browser credential theft**. The lo...
Timeline
-
17.11.2025 13:20 2 articles · 7mo ago
RONINGLOADER delivers modified Gh0st RAT through trojanized installers
Technical Analysis UpdateDragon Breath, also tracked as APT-Q-27 and Golden Eye, uses RONINGLOADER to deliver a modified Gh0st RAT to Chinese-speaking users through trojanized NSIS installers masquerading as Google Chrome and Microsoft Teams. The loader removes userland hooks, attempts privilege elevation, scans for Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security, terminates security processes, abuses PPL and WerFaultSecure.exe for EDR-Freeze, writes a malicious WDAC policy that blocks Qihoo 360 Total Security and Huorong Security, and launches the final payload through regsvr32.exe into high-privilege system processes.
Show sources
- Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT — thehackernews.com — 17.11.2025 13:20
- Dragon Breath Uses RONINGLOADER to Disable Security Tools and Deploy Gh0st RAT — thehackernews.com — 17.11.2025 13:20