RoningLoader - New Malware Campaign Evades Detection Tactics
Significant risk — action recommended within 24-48 hours
Basically, RoningLoader is a sneaky malware that hides itself to avoid being caught.
A new stealthy malware campaign named RoningLoader has emerged, targeting Chinese-speaking users. It cleverly disguises itself as trusted software to evade detection, posing serious risks to security tools. Organizations must remain vigilant against this sophisticated threat.
What Happened
A threat actor known as DragonBreath has launched a stealthy campaign utilizing a multi-stage malware loader called RoningLoader. This malware specifically targets Chinese-speaking users, disguising itself as trusted applications like Google Chrome and Microsoft Teams. Its sophisticated approach combines DLL side-loading, code injection, and signed kernel drivers, allowing it to disable security tools without detection.
How It Works
RoningLoader first appeared in threat intelligence reports in November 2025, documented by Elastic Security Labs. It spreads through trojanized NSIS installers, which are legitimate installer frameworks that attackers often abuse. When a victim runs one of these fake installers, it drops a malicious DLL and an encrypted file disguised as a PNG image. This encrypted file contains shellcode that launches the next stage of the attack entirely in memory, minimizing traces left on disk.
Who's Being Targeted
The primary targets of this campaign include users in China, Taiwan, Hong Kong, Japan, Singapore, and the Philippines. DragonBreath, also tracked as APT-Q-27, has been active since at least 2020, focusing on sectors like online gaming and gambling.
Signs of Infection
RoningLoader employs multiple layers of evasion techniques. It starts with a trojanized installer that runs a legitimate application while executing malware in the background. The malware uses DLL side-loading to trick trusted Windows executables into loading rogue DLLs. It also injects code into regsvr32.exe, further concealing its activities.
How to Protect Yourself
To defend against RoningLoader, security teams should:
- Monitor for unusual DLL loads from trusted Windows executables.
- Flag instances of regsvr32.exe launching without direct user action.
- Set alerts on User Account Control (UAC) registry modifications and unexpected service creations.
- Regularly validate security controls against RoningLoader's documented tactics, techniques, and procedures (TTPs).
Conclusion
RoningLoader represents a significant threat due to its sophisticated evasion tactics and ability to disable security products like Microsoft Defender. By understanding its methods and implementing proactive security measures, organizations can better protect themselves against this evolving malware landscape.
🔍 How to Check If You're Affected
- 1.Monitor for unusual DLL loads from trusted Windows executables.
- 2.Flag instances of regsvr32.exe launching without direct user action.
- 3.Set alerts on UAC registry modifications and unexpected service creations.
🗺️ MITRE ATT&CK Techniques
🔒 Pro insight: RoningLoader's multi-layered evasion tactics highlight the increasing sophistication of malware targeting specific demographics.