RoningLoader malware campaign hides behind fake Chrome and Teams installers to disable security tools

RoningLoader is a stealthy malware loader tied to DragonBreath, also tracked as APT-Q-27. It targets Chinese-speaking users and spreads through trojanized NSIS installers that pretend to be trusted software such as Google Chrome and Microsoft Teams. Elastic Security Labs documented the campaign in November 2025, while AttackIQ published a fresh adversary emulation update on April 7, 2026 based on that activity.

The malware matters because it does more than launch a single payload. Elastic says RoningLoader uses a layered infection chain with signed drivers, thread-pool injection, process abuse, and multiple fallback methods designed to shut down security products and keep the attack running even if one evasion step fails.

At the end of the chain, the attackers deploy a modified gh0st RAT variant. That gives them remote access, persistence, and room for follow-on activity such as surveillance, credential theft, or lateral movement inside a compromised Windows environment.

How the infection starts

The campaign begins with fake installers built with NSIS, a legitimate Windows installer framework that attackers often abuse. Elastic found that these installers drop both a real application and malicious files, which helps the infection stay hidden because the victim sees expected software behavior in the foreground while the malicious chain runs in the background.

Elastic says RoningLoader drops a malicious DLL and encrypted data disguised as an image file. The next stage then executes largely in memory, which reduces disk evidence and makes the malware harder to spot with basic file-based detection.

AttackIQ’s April 2026 emulation adds more detail for defenders. It maps the observed post-compromise behavior to MITRE ATT&CK techniques including DLL side-loading, regsvr32 abuse, code injection through CreateRemoteThread and LoadLibrary, UAC-related registry tampering, service execution, service creation, and process discovery.

Why RoningLoader is hard to detect

One reason RoningLoader stands out is its use of trusted Windows components and signed elements to blend in. Elastic says the campaign weaponizes signed drivers and abuses Protected Process Light, or PPL, to tamper with Microsoft Defender and evade Chinese endpoint detection products.

AttackIQ also highlights DLL side-loading and regsvr32 execution as core parts of the malware’s defense evasion playbook. Those techniques let attackers run malicious code under the cover of legitimate executables and native Windows tools, which often lowers suspicion in environments that rely too heavily on allowlists or parent-process trust.

The campaign also tries to gain stronger privileges before disabling defenses. AttackIQ’s emulation includes enabling SeDebugPrivilege, querying token information, and using service-related execution paths that can help move from admin-level access toward SYSTEM-level control.

What security products the malware tries to disable

Elastic says DragonBreath built this campaign with a strong focus on neutralizing defensive software popular in the Chinese market. Its November 2025 report specifically says the loader aimed to disable Defender and evade Chinese EDR tools through multiple redundant methods.

The sample article’s claim that the malware disables products such as Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security lines up in part with Elastic’s reporting on Chinese endpoint-focused targeting, but the clearest primary-source wording from Elastic is broader. Elastic explicitly documented efforts to disable Defender and bypass Chinese EDR products, rather than publishing one short vendor list as a final summary statement.

That distinction matters because it keeps the reporting precise. The strongest verified takeaway is that RoningLoader was built to knock out or bypass endpoint defenses before it deploys its final remote access payload.

RoningLoader techniques at a glance

Area	Verified behavior
Initial access	Trojanized NSIS installers masquerading as Chrome, Teams, and other trusted software
Loader behavior	Drops a malicious DLL and encrypted data, then advances via in-memory execution
Evasion	DLL side-loading, regsvr32 abuse, code injection, signed-driver use, PPL abuse
Privilege activity	Enables SeDebugPrivilege, inspects token data, uses service-related execution paths
Final payload	Modified gh0st RAT
Main target profile	Chinese-speaking users, with emphasis on software popular in that ecosystem

The table above reflects the overlap between Elastic’s malware analysis and AttackIQ’s April 2026 emulation mapping.

What defenders should watch for

Security teams should look closely at DLL loads that originate from unusual paths but execute inside trusted processes. They should also flag suspicious regsvr32 launches, especially when no direct user action explains them, and review service creation or service start events tied to new or unexpected binaries.

Monitoring for privilege changes also matters here. AttackIQ specifically maps SeDebugPrivilege enablement and token inspection behavior, which gives defenders concrete telemetry points to hunt for in endpoint logs and EDR workflows.

Because RoningLoader uses layered evasion, one blocked step does not always stop the chain. That makes adversary emulation and control validation useful here, especially when defenders want to confirm that detections still fire after process injection, trusted-binary abuse, or service-based execution attempts.

Defensive priorities

• Watch for unexpected DLL side-loading tied to legitimate executables.
• Investigate regsvr32 activity that does not match normal admin or software deployment behavior.
• Alert on new service creation and suspicious service starts from recently dropped binaries.
• Track privilege changes involving SeDebugPrivilege and unusual token inspection activity.
• Validate protections against signed-driver abuse and Defender tampering scenarios.

FAQ