Dragon Breath APT Deploys RONINGLOADER for Gh0st RAT Attacks

Cyber Security News by CyberSum.net

Published on November 17, 2025 at 03:00 PM

3 sources

The Dragon Breath threat actor has been observed using a multi-stage loader called RONINGLOADER to deliver a modified Gh0st RAT. The campaign targets Chinese-speaking users with trojanized installers disguised as legitimate software. The infection chain employs various evasion techniques, including signed drivers and custom WDAC policies, to neutralize endpoint security products. The final payload, Gh0st RAT, is designed to communicate with a remote server for further instructions and data exfiltration.

Also Read

Kraken Ransomware: New Encryption Benchmarking Feature

The Kraken ransomware, targeting Windows, Linux, and VMware ESXi systems, has introduced a unique feature that tests machine performance to optimize encryption speed. This ransomware, linked to the defunct HelloKitty group, engages in big-game hunting and double extortion attacks. It exploits SMB vulnerabilities for initial access and uses tools like Cloudflared and SSHFS for data exfiltration. Kraken's data leak site lists victims from various regions, and it operates a new cybercrime forum called 'The Last Haven Board'.

By Cyber Security News by CyberSum.netNovember 14, 2025 at 06:00 AM