Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

RONINGLOADER multi-stage delivery of modified Gh0st RAT

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

RONINGLOADER is being used to deploy a modified Gh0st RAT, creating a multi-stage infection chain that raises the risk of payload execution and defense bypass on infected Windows hosts. The loader kills security processes, abuses PPL, and uses a signed driver and custom WDAC policies to weaken endpoint protection. The final RAT expands operator control with command execution, clipboard theft, and keystroke capture.

Related Happenings

GlassWorm multi-stage data-theft malware evolution

Malware Activity
First: 25.03.2026 16:26 Last: 25.03.2026 16:26 Sources 1

About this happening: The **GlassWorm** malware family has evolved into a **multi-stage** payload chain that steals browser data and crypto-wallet information, increasing risk for **Windows** and **mac...

Open Happening

VOID#GEIST phishing-delivered multi-stage RAT campaign

Campaign
First: 06.03.2026 16:33 Last: 06.03.2026 16:33 Sources 1

About this happening: The **VOID#GEIST** campaign is pushing **phishing-delivered** batch scripts through **TryCloudflare** to deliver encrypted **RAT** payloads, creating a fileless intrusion path tha...

Open Happening

Trojanized gaming utility RAT delivery campaign via browsers and chat platforms

Campaign
First: 27.02.2026 12:06 Last: 27.02.2026 12:06 Sources 1

About this happening: Threat actors are running a **trojanized gaming utility** delivery campaign through **browsers and chat platforms**, putting **unsuspecting users** at risk of **RAT infection** an...

Open Happening

Steaelite Windows RAT with FUD and multi-function capabilities

Malware Activity
First: 27.02.2026 12:06 Last: 27.02.2026 12:06 Sources 1

About this happening: The **Steaelite** Windows RAT is being marketed as a **fully undetectable** tool for **Windows 10 and 11**, giving operators browser-based control over infected machines and enabl...

Open Happening

MIMICRAT (aka AstarionRAT) ClickFix-delivered RAT activity

Malware Activity
First: 20.02.2026 13:55 Last: 20.02.2026 13:55 Sources 1

About this happening: The **MIMICRAT (aka AstarionRAT)** malware has been disclosed as a **ClickFix-delivered RAT** that enables **Windows token impersonation** and **SOCKS5 tunneling**, increasing the...

Open Happening

Timeline

  1. 17.11.2025 13:20 2 articles · 6mo ago

    RONINGLOADER delivers modified Gh0st RAT through trojanized installers

    Technical Analysis Update

    Dragon Breath, also tracked as APT-Q-27 and Golden Eye, uses RONINGLOADER to deliver a modified Gh0st RAT to Chinese-speaking users through trojanized NSIS installers masquerading as Google Chrome and Microsoft Teams. The loader removes userland hooks, attempts privilege elevation, scans for Microsoft Defender Antivirus, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security, terminates security processes, abuses PPL and WerFaultSecure.exe for EDR-Freeze, writes a malicious WDAC policy that blocks Qihoo 360 Total Security and Huorong Security, and launches the final payload through regsvr32.exe into high-privilege system processes.

    Show sources
    Open in new tab