A new threat targeting Chinese users has appeared with a dangerous ability to shut down security tools.
RONINGLOADER, a multi-stage loader spreading a modified version of the gh0st RAT, uses clever tricks to bypass antivirus protection.
The malware arrives through fake software installers that pretend to be legitimate programs like Google Chrome and Microsoft Teams.
Once inside a system, it works through several layers of infection to disable Windows Defender and popular Chinese security products like Qihoo 360 Total Security and Huorong.
This campaign shows how attackers are getting better at breaking through security defenses. The malware brings its own signed driver that looks legitimate to Windows but actually helps it kill security processes.
What makes it dangerous is how many backup plans it has. If one method to disable security fails, it tries several other approaches.
This shows the Dragon Breath APT group behind it has learned from earlier campaigns and improved their methods.
After tracking detection systems, Elastic security analysts identified this campaign using a behavioral rule designed to spot Protected Process Light abuse.
The research team found RONINGLOADER using a technique that was publicly documented just months earlier. The malware takes advantage of a Windows feature meant to protect important system processes but turns it against Defender itself.
Attack Method and Infection Chain
The infection starts with a trojanized NSIS installer that drops multiple components onto the victim system. When someone runs what they think is a normal software installer, they actually activate two separate installers.
.webp "RONINGLOADER Weaponized Weaponizes Signed Drivers to Disable Defender and Evade EDR Tools 3")
One installs the real software to avoid raising suspicion, while the second quietly deploys the attack chain.
The malware creates a directory at C:\Program Files\Snieoatwtregoable\ and drops two files: Snieoatwtregoable.dll and an encrypted file called tp.png.
The DLL file decrypts tp.png using a simple but effective algorithm that combines XOR encryption with a rotate operation:-
*encrypted_file_content = _ROR1_(*encrypted_file_content ^ xor_key[indx), 4);After decryption, the malware loads fresh system libraries to remove any security hooks that might catch its behavior. It then elevates its privileges using the runas command and scans for running security software.
The malware looks explicitly for Microsoft Defender, Kingsoft Internet Security, Tencent PC Manager, and Qihoo 360 Total Security by checking their process names.
To kill these processes, RONINGLOADER uses a signed driver called ollama.sys that was digitally signed by Kunming Wuqi E-commerce Co., Ltd.
The driver registers a single function that accepts a process ID and terminates it using kernel-level APIs that normal security tools cannot block.
The malware writes this driver to disk, creates a temporary service to load it, sends the termination command, and immediately deletes the service.
For Qihoo 360, the malware takes extra steps by blocking all network connections through firewall rules before injecting code into the Volume Shadow Copy service process.
This injection uses Windows thread pools with file write triggers, a technique that helps it avoid detection.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
