RoningLoader Campaign Uses DLL Side-Loading, Code Injection to Slip Past Defenses
A sophisticated cyber-espionage group known as DragonBreath (APT-Q-27) has been linked to a new RoningLoader malware campaign that uses advanced evasion techniques such as DLL side-loading and code injection to bypass traditional security defenses.
Active since at least 2022, DragonBreath has steadily evolved its capabilities. Earlier campaigns were documented by QianXin and Sophos, but recent activity shows a sharper focus on stealth and persistence.
The group primarily targets Chinese-speaking users, with a particular interest in cryptocurrency applications and gaming-related VPN tools both popular and often less scrutinized attack surfaces.
At the center of this campaign is a modified version of the open-source Gh0st RAT, a well-known remote access trojan.
By customizing this malware and combining it with newer delivery and execution methods, DragonBreath has significantly increased its ability to remain undetected in compromised environments.
RoningLoader Campaign
Security firm AttackIQ has released a new attack graph simulating the RoningLoader campaign’s tactics, techniques, and procedures (TTPs).
This simulation is designed to help organizations test their defenses against real-world adversary behavior using its Adversarial Exposure Validation (AEV) platform.
One of the key highlights of the RoningLoader campaign is its use of DLL side-loading. In this technique, attackers place a malicious DLL file alongside a legitimate executable.
When the trusted application runs, it unknowingly loads the malicious DLL, allowing attackers to execute code without raising immediate suspicion. This method is particularly effective because it abuses trusted processes already allowed by security tools.
Another critical evasion tactic observed is code injection via the Windows APIs CreateRemoteThread and LoadLibrary.
This allows attackers to inject malicious code directly into legitimate processes, masking their activity and making detection much harder for endpoint security solutions.
The campaign also leverages multiple execution and persistence techniques. For example, attackers simulate service execution using Windows utilities like StartServiceA and sc.exe, which can also be used to escalate privileges to the SYSTEM level.
Additionally, they create new Windows services using CreateServiceA, ensuring persistence even after system reboots.
Privilege escalation is further supported by enabling sensitive permissions such as SeDebugPrivilege using native APIs. Attackers also inspect system tokens to determine user privilege levels, helping them decide their next steps within the compromised system.
To weaken defenses, DragonBreath disables User Account Control (UAC) via registry modifications and uses RegSvr32, a legitimate Windows tool, to execute malicious DLLs. These “living off the land” techniques allow attackers to blend in with normal system activity.
DLL side-loading with stealthy injection
Once inside a network, the malware performs discovery actions by enumerating running processes using native Windows APIs. This helps attackers understand the environment and identify high-value targets.
AttackIQ emphasizes that validating security controls against such behavior is critical. Their simulation enables organizations to test detection pipelines, evaluate defensive effectiveness, and continuously improve their security posture against stealthy threats like RoningLoader.
By moving beyond static vulnerability scanning and focusing on real adversary techniques, platforms like AttackIQ provide a more accurate picture of an organization’s exposure.
This approach allows security teams to prioritize risks, strengthen defenses, and respond more effectively to evolving threats.
The RoningLoader campaign highlights a growing trend: attackers are increasingly combining legitimate tools with advanced techniques to evade detection.
As threat actors like DragonBreath continue to refine their methods, organizations must adopt continuous validation strategies to stay ahead.