Threat Advisories:
Gh0st RAT Multi-Campaign Delivery Surge Targets Chinese Speakers FortiWeb Flaw Exploited in the Wild: Patch Immediately Google Patches High-Risk V8 Zero-Day Hitting Chrome Users FortiWeb Hijack: The Hidden Vulnerability Fueling Admin Account Creation Lazarus Group’s New Comebacker Variant Targets Aerospace & Defense Threat Actors Turn RMM Tools into Backdoor Gateways CVE-2025-12480: Triofox Exploit Turns Trusted Access Into a Security Nightmare Microsoft’s November 2025 Patch Tuesday Roundup Telegram-Powered Credential Theft Campaign Sweeps Europe Critical Zero-Day Exposes Synology Devices to Remote Attacks APT41 Cyber-Espionage Campaign Targets U.S. Policy Institutions I Paid Twice: Inside the Booking.com Phishing Fraud Return of Gootloader: Blending Technical Evasion with Operational Discipline Unmasking Airstalk’s Covert Supply Chain Intrusion WordPress Plugin Bug CVE-2025-11833 Hands Hackers the Admin Throne Silent Lynx APT: Espionage Operations Targeting Central Asia’s Critical Infrastructure SleepyDuck: Trojan Nesting in the Open VSX Marketplace Operation SkyCloak: Covert Cyber Strikes on Russian and Belarusian Military Personnel Typosquatted npm Packages Execute Stealthy CredentialTheft Operation Hijackloader Strikes Colombia with PureHVNC
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Blog
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoThreat Digest - Subscribe

Gh0st RAT Multi-Campaign Delivery Surge Targets Chinese Speakers

Amber | Attack Report
Download PDF

I’ll analyze the threat advisory PDF and create an SEO-optimized summary following your specifications.

Gh0st RAT Multi-Campaign Delivery Surge Targets Chinese Speakers

Summary

Dragon Breath APT group, also known as Golden Eye Dog or APT-Q-27, launched sophisticated malware campaigns starting in February 2025 targeting Chinese-speaking users worldwide. The threat actor deployed modified Gh0st RAT variants through RONINGLOADER, a multi-stage loader, using trojanized NSIS installers disguised as trusted software including Google Chrome, Microsoft Teams, i4tools, Youdao, DeepSeek, QQ Music, and Sogou browser. The attack employed brand impersonation across thousands of disposable domains, targeting technology, entertainment, and high-tech industries. Dragon Breath utilized advanced evasion techniques including legitimately signed drivers, custom Windows Defender Application Control policies, and Protected Process Light abuse to bypass Microsoft Defender. The campaign operated through two distinct phases: Campaign Trio (February-March 2025) spanning over 2,000 domains, and Campaign Chorus (May 2025) expanding to impersonate more than 40 applications. This Gh0st RAT deployment represents a significant threat to Chinese-speaking territories globally, with the threat level classified as Amber under threat advisory TA2025352.

Attack Details

Dragon Breath APT-Q-27 Multi-Stage Loader Deployment

Dragon Breath APT group, designated APT-Q-27, executed sophisticated malware campaigns deploying RONINGLOADER, a multi-stage loader designed to deliver modified Gh0st RAT variants. The threat actor specifically targeted Chinese-speaking users through trojanized installers created with the Nullsoft Scriptable Install System (NSIS). The NSIS framework, a legitimate Windows installer tool, was weaponized to distribute Gh0st RAT malware disguised as trusted applications including Google Chrome, Microsoft Teams, and other widely recognized software platforms.

Advanced Defense Evasion Techniques

The Dragon Breath threat actor implemented multiple redundant security bypass mechanisms to weaken defensive controls. The malicious NSIS installer packages incorporated legitimately signed drivers, enforced custom Windows Defender Application Control (WDAC) policies, and abused Protected Process Light (PPL) functionality to interfere with Microsoft Defender operations. When executed, the primary NSIS installer functioned as a dropper containing two additional embedded NSIS installers—one installing legitimate software to maintain authenticity, while the second executed the malicious Gh0st RAT deployment workflow.

Gh0st RAT Capabilities and Command-and-Control

The modified Gh0st RAT variant contacted remote command-and-control servers for tasking instructions enabling extensive system manipulation. The malware capabilities included registry modification, Windows event-log deletion, remote file retrieval and execution from supplied URLs, clipboard manipulation, and command execution through cmd.exe. Additional Gh0st RAT functionality encompassed shellcode injection into svchost.exe processes, disk-based payload activation, keystroke logging modules, clipboard capture mechanisms, and active window title tracking for comprehensive victim surveillance.

Campaign Trio Brand Impersonation Operation

Campaign Trio, the first operational phase, ran from February to March 2025 targeting Chinese-speaking users through large-scale brand impersonation. The Dragon Breath APT group created more than 2,000 malicious domains mimicking three major brands to deliver Gh0st RAT variants. The campaign leveraged consistent lures and multi-stage delivery models across the entire domain infrastructure. The most frequently impersonated brand was i4tools, with over 1,400 domains replicating this Chinese-language utility for managing Apple mobile devices. More than 600 domains were dedicated to impersonating Youdao, a prominent Chinese dictionary and translation service. Five domains impersonated DeepSeek, reflecting threat actor efforts to exploit interest in contemporary AI-focused products.

Campaign Chorus Expansion and Infrastructure

Campaign Chorus began in May 2025, significantly broadening the impersonation scope to more than 40 applications beyond the initial three brands. The campaign deployed in two distinct waves: Wave 1 on May 15, 2025 registered 40 domains using the “guwaanzh” prefix, while Wave 2 between May 26-28, 2025 registered 51 domains using the “xiazaizhadia” prefix. The scale, speed, and turnover of domain creation demonstrated a burn-and-churn strategy treating domains as disposable infrastructure. Dragon Breath maintained operational resilience through constant domain replenishment and wide distribution of malicious infrastructure across major Chinese-speaking territories worldwide.

Recommendations

Forensic Log and Registry Analysis

Security teams should inspect Windows Event Logs for anomalous service creation, driver loading, and process termination activities specifically referencing “xererre1,” “ollama,” or “MicrosoftSoftware2ShadowCop4yProvider.” Organizations must examine registry paths including HKEY_CURRENT_USER\offlinekey for clipboard hijacker configurations and HKEY_LOCAL_MACHINE for unauthorized Windows Defender Application Control (WDAC) policy modifications. Regular forensic analysis of these registry locations enables early detection of Gh0st RAT infections and RONINGLOADER deployment indicators.

Increase Behavioral Endpoint Monitoring

Organizations should adopt continuous endpoint monitoring with behavioral analytics specifically tuned to detect injection patterns, driver tampering, and security-control termination behaviors associated with Gh0st RAT and RONINGLOADER. Security teams must maintain structured kernel patching routines to close vulnerabilities exploited by multi-stage loaders deployed by Dragon Breath APT. Behavioral monitoring should focus on detecting NSIS installer anomalies, Protected Process Light abuse, and unauthorized driver loading activities commonly used in these attack campaigns.

Reinforce Recovery and Containment Architecture

Organizations must strengthen backup and disaster recovery processes to enable clean system restoration following Gh0st RAT compromise. Network segmentation should be implemented to constrain lateral movement pathways during compromise scenarios involving multi-stage loaders. Security teams should maintain incident response playbooks specifically tailored to multi-stage loader infections with advanced security-evasion capabilities including WDAC policy manipulation and PPL abuse. Regular testing of containment procedures ensures readiness against Dragon Breath APT attack methodologies.

Indicators of Compromise (IoCs)

IPv4 Addresses

95[.]173[.]197[.]195, 156[.]251[.]25[.]43, 156[.]251[.]25[.]112, 154[.]82[.]84[.]227, 103[.]181[.]134[.]138

Malicious Domains

yqmqhjgn[.]com, youdaxxyzy[.]top, youdaxxyzr[.]top, youdaxxddxk[.]top, youdaqqaavw[.]top, youdaovavxl[.]top, youdaovavxk[.]top, youdaoooossj[.]top, youdaohhzi[.]top, ydbaoo52[.]cyou, ydbao11[.]cyou, xiazaizhadia9[.]cyou, xiazaizhadia8[.]cyou, xiazaizhadia51[.]cyou, xiazaizhadia50[.]cyou, xiazaizhadia46[.]cyou, xiazaizhadia44[.]cyou, xiazaizhadia42[.]cyou, xiazaizhadia41[.]cyou, xiazaizhadia40[.]cyou, xiazaizhadia39[.]cyou, xiazaizhadia37[.]cyou, xiazaizhadia36[.]cyou, xiazaizhadia35[.]cyou, xiazaizhadia34[.]cyou, xiazaizhadia33[.]cyou, xiazaizhadia31[.]cyou, xiazaizhadia30[.]cyou, xiazaizhadia29[.]cyou, xiazaizhadia27[.]cyou, xiazaizhadia24[.]cyou, xiazaizhadia22[.]cyou, xiazaizhadia21[.]cyou, xiazaizhadia20[.]cyou, xiazaizhadia2[.]cyou, xiazaizhadia19[.]cyou, xiazaizhadia18[.]cyou, xiazaizhadia16[.]cyou, xiazaizhadia12[.]cyou, xiazaizhadia11[.]cyou, xiazaizhadia10[.]cyou, xiazaizhadia1[.]cyou, xiazailianjieoss[.]com, xiaofeige[.]icu, xiaobaituziha[.]com, qishuiyinyque-vip[.]top, i4toolsuuozp[.]top, i4toolsuuoxk[.]top, i4toolsllsk[.]top, i4toolsearch[.]vip, i4toolscaczu[.]top, i4toolscacvi[.]top, i4toolscacsm[.]top, i4[.]llllxiazai-web[.]vip, guwaanzh8[.]cyou, guwaanzh35[.]cyou, guwaanzh34[.]cyou, guwaanzh25[.]cyou, guwaanzh24[.]cyou, guwaanzh21[.]cyou, guwaanzh20[.]cyou, guwaanzh2[.]cyou, guwaanzh1[.]cyou, fs-im-kefu[.]7moor-fs1[.]com, djbzdhygj[.]com, deep-seek[.]rest, anydesk-www[.]cyou, 1235saddfs[.]icu

SHA256 File Hashes

e8c058acfa2518ddc7828304cf314b6dd49717e9a291ca32ba185c44937c422b, dbe70991750c6dd665b281c27f7be40afea8b5718b097e43cd041d698706ade4, c37d0c9c9da830e6173b71a3bcc5203fbb66241ccd7d704b3a1d809cadd551b2, bd4635d582413f84ac83adbb4b449b18bac4fc87ca000d0c7be84ad0f9caf68e, bc6fb2eab9ed8d9eb405f6186d08e85be8b1308d207970cc41cf90477aa79064, 7267a303abb5fcae2e6f5c3ecf3b50d204f760dabdfc5600bd248fcfad3fc133, 495ea08268fd9cf52643a986b7b035415660eb411d8484e2c3b54e2c4e466a58, 491872a50b8db56d6a5ef1ccabe8702fb7763da4fd3b474d20ae0c98969acfe5, 299e6791e4eb85617c4fab7f27ac53fb70cd038671f011007831b558c318b369, 2232612b09b636698afcdb995b822adf21c34fb8979dd63f8d01f0d038acb454, 1c3f2530b2764754045039066d2c277dff4efabd4f15f2944e30b10e82f443c0, 18a21dbc327484b8accbd4a6d7b18608390a69033647099f807fdbfdcfff7e6d, 1395627eca4ca8229c3e7da0a48a36d130ce6b016bb6da750b3d992888b20ab8

MITRE ATT&CK TTPs

Initial Access and Execution

TA0001 Initial Access: T1566 Phishing, T1204 User Execution, T1204.002 Malicious File

TA0002 Execution: T1059 Command and Scripting Interpreter, T1059.003 Windows Command Shell, T1059.001 PowerShell, T1059.005 Visual Basic, T1569 System Services, T1569.002 Service Execution, T1218 System Binary Proxy Execution, T1218.007 Msiexec

Persistence and Privilege Escalation

TA0003 Persistence: T1543 Create or Modify System Process, T1543.003 Windows Service

TA0004 Privilege Escalation: T1548 Abuse Elevation Control Mechanism, T1548.002 Bypass User Account Control, T1134 Access Token Manipulation

Defense Evasion

TA0005 Defense Evasion: T1562 Impair Defenses, T1562.001 Disable or Modify Tools, T1562.004 Disable or Modify System Firewall, T1070 Indicator Removal, T1070.001 Clear Windows Event Logs, T1574 Hijack Execution Flow, T1574.001 DLL, T1055 Process Injection, T1036 Masquerading, T1036.005 Match Legitimate Resource Name or Location, T1112 Modify Registry, T1553 Subvert Trust Controls, T1553.006 Code Signing Policy Modification

Credential Access and Discovery

TA0006 Credential Access: T1056 Input Capture, T1056.001 Keylogging, T1115 Clipboard Data

TA0007 Discovery: T1057 Process Discovery, T1082 System Information Discovery, T1033 System Owner/User Discovery, T1518 Software Discovery, T1518.001 Security Software Discovery

Collection, Command-and-Control, and Impact

TA0009 Collection: T1115 Clipboard Data, T1056.001 Keylogging

TA0011 Command and Control: T1095 Non-Application Layer Protocol, T1573 Encrypted Channel, T1573.001 Symmetric Cryptography, T1071 Application Layer Protocol, T1071.001 Web Protocols

TA0040 Impact: Impact tactics employed through malware payload execution

TA0042 Resource Development: T1583 Acquire Infrastructure

References

https://www.elastic.co/security-labs/roningloader

https://unit42.paloaltonetworks.com/impersonation-campaigns-deliver-gh0st-rat/

https://hivepro.com/threat-advisory/dragon-breath-apt-evolves-with-double-dll-sideloading/

https://hivepro.com/threat-advisory/hidden-in-plain-sight-the-abuse-of-nezha-and-the-ghost-rat-that-followed/

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox