- Content source
- https://www.elastic.co/security-labs/roningloader
EDR freeze has been discussed here earlier and dragon breath backdoor was not detected by Avast/Avg according to this thread on MalwareTips:
Summary:
Elastic Security Labs uncovered a Dragon Breath APT (APT-Q-27) campaign using trojanized NSIS installers to deploy RONINGLOADER, a multi-stage Gh0st RAT variant leveraging signed drivers, custom WDAC policies, PPL abuse, and advanced process injection via thread pools to terminate AVs like Windows Defender and Qihoo 360, disable firewalls and UAC, achieve persistence through service-based DLL sideloading, and maintain C2 communication for keylogging, clipboard hijacking, and data exfiltration over encrypted TCP channels.
RONINGLOADER, used by the Dragon Breath APT, achieved Windows Defender bypass with a novel twist: it incorporated an open-source public WD bypass tool as part of its chain. The malware abused the Protected Process Light (PPL) mechanism to disable or corrupt Defender, specifically invoking ClipUp.exe with crafted parameters to overwrite the Defender binary after mirroring code directly from the open-source tool EDR-Freeze, which published details on this PPL abuse technique in mid-2025. By automating this abuse through a simple Windows command, RONINGLOADER could reliably neutralize Microsoft Defender—even after a reboot—by executing the open-source bypass logic as part of its multi-stage attack chain.
www.elastic.co
Last year, it took Avast more than 3 months to finally detect a false negative fake 360, which had been VT 30+ or maybe more for a long time, as malware.
This time we talk about MD. Although not been that long until now. It has been a few weeks since I submitted the following false negative fake APP to Microsoft, and I resubmitted it again this week, but MD just missed it. Is it common, and does it happen often to all vendors?
The sample: VirusTotal
Anyrun report: Analysis https://wormhole.app/E42JRQ#A821lv6tQ3BAfdyFfM30HQ Malicious activity -...
This time we talk about MD. Although not been that long until now. It has been a few weeks since I submitted the following false negative fake APP to Microsoft, and I resubmitted it again this week, but MD just missed it. Is it common, and does it happen often to all vendors?
The sample: VirusTotal
Anyrun report: Analysis https://wormhole.app/E42JRQ#A821lv6tQ3BAfdyFfM30HQ Malicious activity -...
Summary:
Elastic Security Labs uncovered a Dragon Breath APT (APT-Q-27) campaign using trojanized NSIS installers to deploy RONINGLOADER, a multi-stage Gh0st RAT variant leveraging signed drivers, custom WDAC policies, PPL abuse, and advanced process injection via thread pools to terminate AVs like Windows Defender and Qihoo 360, disable firewalls and UAC, achieve persistence through service-based DLL sideloading, and maintain C2 communication for keylogging, clipboard hijacking, and data exfiltration over encrypted TCP channels.
RONINGLOADER, used by the Dragon Breath APT, achieved Windows Defender bypass with a novel twist: it incorporated an open-source public WD bypass tool as part of its chain. The malware abused the Protected Process Light (PPL) mechanism to disable or corrupt Defender, specifically invoking ClipUp.exe with crafted parameters to overwrite the Defender binary after mirroring code directly from the open-source tool EDR-Freeze, which published details on this PPL abuse technique in mid-2025. By automating this abuse through a simple Windows command, RONINGLOADER could reliably neutralize Microsoft Defender—even after a reboot—by executing the open-source bypass logic as part of its multi-stage attack chain.
RONINGLOADER: DragonBreath’s New Path to PPL Abuse — Elastic Security Labs
Elastic Security Labs uncovers RONINGLOADER, a multi-stage loader deploying DragonBreath’s updated gh0st RAT variant. The campaign weaponizes signed drivers, thread-pool injection, and PPL abuse to disable Defender and evade Chinese EDR tools.
www.elastic.co
