DragonBreath, also known as APT-Q-27, is a sophisticated threat actor distributing a modified variant of the open-source gh0st RAT, primarily targeting Chinese-speaking users. The group has been active since at least 2022, with campaigns documented by QianXin and Sophos in 2022–2023, and demonstrates a clear evolution in technical capability and adaptability in its more recent operations. Its targeting profile includes users of popular Chinese applications and platforms, with a particular interest in cryptocurrency-related software and gaming-focused VPN tools.

AttackIQ has released a new attack graph that emulates the Tactics, Techniques, and Procedures (TTPs) associated with the deployment of RoningLoader to help customers validate their security controls and their ability to defend against this threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new emulation in the AttackIQ Adversarial Exposure Validation (AEV) Platform, security teams will be able to:

• Evaluate security control performance against baseline behaviors associated with RoningLoader.
• Assess their security posture against a stealthy adversary that evades traditional detection mechanisms.
• Continuously validate detection and prevention pipelines.

RoningLoader – 2025-11 – Associated Tactics, Techniques and Procedures (TTPs)

This emulation contains the Post-Compromise Tactics, Techniques, and Procedures (TTPs) exhibited by DragonBreath (APT-Q-27) during its most recent activities, as documented by Elastic Security Labs in November 2025.

Execution

Consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, such as exploring a network or stealing data.

Service Execution Using “StartServiceA” (T1569.002): This scenario executes the StartServiceA Windows API to simulate service execution, which can also be used to escalate privileges from Administrator to SYSTEM by modifying an existing service.

Service Execution using “sc.exe” (T1569.002): This scenario simulates service execution, which can also be used to escalate privileges from Administrator to SYSTEM by modifying an existing service.

Persistence

Consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

New! New Service using “CreateServiceA” (T1543.003): This scenario simulates the creation of a Windows service to help security analysts assess their ability to detect such events. The service will be created with a start mode set to “demand”, meaning it will only be executed if manually started.

Privilege Escalation

Consists of techniques that adversaries use to gain higher-level permissions on a system or network. Adversaries can often enter and explore a network with unprivileged access but require elevated permissions to follow through on their objectives. Common approaches are to take advantage of system weaknesses, misconfigurations, and vulnerabilities.

Enable “SeDebugPrivilege” Privilege via Native API (T1134): This scenario enables the SeDebugPrivilege privilege for the current process using the AdjustTokenPrivilege Windows API.

Obtain System Token information via “GetTokenInformation” Windows API (T1134): This scenario simulates an inspection of the operating system’s access tokens via the GetTokenInformation Windows API call to determine whether the current user is a member of the Administrators group.

Defense Evasion

Consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts.

Code Injection via Load Library and Create Remote Thread (T1055.001): This scenario performs the injection of a Dynamic-link Library (DLL) into a process utilizing CreateRemoteThread and LoadLibrary.

DLL Side-Loading (T1574.002): This scenario leverages a legitimate and trusted executable to load a malicious Dynamic-link Library (DLL).

Disable UAC via Registry (T1548.002): This scenario disables the User Account Control (UAC) via the Windows registry.

Execute DLL Through RegSvr32 (T1218.010): RegSvr32 is a native Windows utility that threat actors can use to register Common Object Model (COM) DLLs. This functionality allows an actor to deploy a malicious DLL and have a native Windows tool execute the code as the parent process. This scenario executes RegSvr32 with an AttackIQ binary.

Discovery

Consists of techniques that adversaries use to discover information related to the compromised environment.

Process Discovery via Native API (T1057): This scenario executes the CreateToolhelp32SnapshotWindows native API call to retrieve a list of running processes, then iterates through each process object using Process32FirstW and Process32NextW.

Wrap-up

In summary, this emulation will evaluate security and incident response processes and support the improvement of your security control posture against the behaviors exhibited by RoningLoader. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ is the industry’s leading Continuous Threat Exposure Management (CTEM) platform, enabling organizations to measure true exposure, prioritize risk, and disrupt real-world attack paths. By moving beyond static vulnerability data, AttackIQ operationalizes CTEM by continuously validating exposures against real adversary behavior and defensive controls. The platform connects vulnerabilities, configurations, identities, and detections into adversary-validated attack paths—quantifying the likelihood of attacker movement and impact. This evidence-based approach empowers security leaders to focus on what matters most, optimize defensive investments, and strengthen resilience through threat-informed, AI-driven security operations.

The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free, award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.