The threat actor known as Dragon Breath has been observed making use of a multi-stage loader codenamed RONINGLOADER to deliver a modified variant of a remote access trojan called Gh0st RAT. The campaign, which is primarily aimed at Chinese-speaking users, employs trojanized NSIS installers masquerading as legitimate like Google Chrome and Microsoft Teams, according to Elastic Security Labs. "The
![]()
source https://thehackernews.com/2025/11/dragon-breath-uses-roningloader-to.html
source https://thehackernews.com/2025/11/dragon-breath-uses-roningloader-to.html