RONINGLOADER: DragonBreath's New Path to PPL Abuse

Elastic Security Labs uncovered a campaign by DragonBreath APT using a multi-stage loader named RONINGLOADER to deploy an updated gh0st RAT variant. The malware employs various evasion techniques targeting Chinese EDR tools, including signed driver abuse, thread-pool injection, and PPL exploitation to disable Microsoft Defender. The infection chain begins with trojanized NSIS installers masquerading as legitimate software. RONINGLOADER leverages multiple stages to terminate antivirus processes, apply custom WDAC policies, and inject the final payload into trusted system processes. The campaign demonstrates an evolution in DragonBreath's tactics, showcasing adaptability and sophisticated evasion methods.

Pulse ID: 691d85c636ef7e742328d734
Pulse Link: https://otx.alienvault.com/pulse/691d85c636ef7e742328d734
Pulse Author: AlienVault
Created: 2025-11-19 08:54:30

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Chinese #CyberSecurity #EDR #ElasticSecurityLabs #ICS #InfoSec #Malware #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #RAT #Rust #Trojan #bot #AlienVault

RT by @SwiftOnSecurity: 🚀 𝗡𝗲𝘄 𝗶𝗻 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿 𝗳𝗼𝗿 𝗢𝗳𝗳𝗶𝗰𝗲 365

Security teams can now trigger key email remediation actions—𝗦𝘂𝗯𝗺𝗶𝘁 𝘁𝗼 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁, 𝗔𝗱𝗱 𝘁𝗼 𝗮𝗹𝗹𝗼𝘄/𝗯𝗹𝗼𝗰𝗸 𝗹𝗶𝘀𝘁, and 𝗜𝗻𝗶𝘁𝗶𝗮𝘁𝗲 𝗮𝘂𝘁𝗼𝗺𝗮𝘁𝗲𝗱 𝗶𝗻𝘃𝗲𝘀𝘁𝗶𝗴𝗮𝘁𝗶𝗼𝗻—directly from the 𝗔𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝗛𝘂𝗻𝘁𝗶𝗻𝗴 interface.

No policy changes needed. Enabled by default since Nov 10, 2025.

Streamlined threat response, powered by your queries.

#MicrosoftDefender #AdvancedHunting #CyberSecurity #incidentresponse

🐦🔗: https://nitter.oksocial.net/0x534c/status/1988608813323411545#m

[2025/11/12 14:04]

Microsoft Defender for Endpoint delivers industry-leading anti-virus protection, but navigating its licensing tiers, pricing models, and feature sets can be incredibly confusing.

Join us today on Defender Fridays with Ken Westin, Senior Solutions Engineer at LimaCharlie, as we break down:

> The differences between the various tiers

> Ways to solve Defender visibility issues and increase operational transparency.

> How its capabilities can be customized and expanded for better flexibility and scalability for service providers

This is an interactive session - bring your questions and let's explore the benefits and drawbacks together.

#defenders #cybersecurity #microsoftdefender #infosec

Tomorrow, October 15th at 10am PT - hands-on workshop on Microsoft Defender automation.

We'll demonstrate how to augment Windows Defender Antivirus with centralized management capabilities that eliminate manual processes and accelerate threat detection.

What we'll cover:

> Verify Defender deployment status across your entire Windows infrastructure in seconds
> Capture endpoint security events at wire speed without relying on Microsoft's collection timelines
> Execute AV scans remotely across endpoints or schedule them to run automatically
> Configure detection and response rules tailored to your environment's specific needs

Final reminder: This is a live session and will not be recorded.

Register: https://limacharlie.wistia.com/live/events/su08f1kjsa?utm_campaign=virtual+workshop+microsoft+defender+10+15+25&utm_source=mastodon&utm_medium=social

#cybersecurity #secops #microsoftdefender

Want better visibility and control over Microsoft Defender?

We're running a hands-on virtual workshop on augmenting Windows Defender Antivirus with centralized management and automation capabilities using the SecOps Cloud Platform.

Session agenda:

> Gathering telemetry quicker than Microsoft's native collection methods
> Controlling instances across endpoints from a single interface
> Automating log collection at scale
> Enriching detection capabilities with custom rules
> Leveraging data retention to improve investigation speed

This session will not be recorded. Register now: https://limacharlie.wistia.com/live/events/su08f1kjsa?utm_campaign=virtual+workshop+microsoft+defender+10+15+25&utm_source=mastodon&utm_medium=social

#cybersecurity #secops #microsoftdefender

Microsoft Defender is stirring up trouble—bogus BIOS alerts, misflagged emails, even Mac crashes. Can your trusted security tool really keep up when glitches hit?

https://thedefendopsdiaries.com/microsoft-defender-navigating-recent-bugs-and-the-ongoing-challenge-of-security-software-reliability/

#microsoftdefender
#securitysoftware
#falsepositives
#cybersecuritynews
#machinelearningsecurity

Microsoft Teams is leveling up its security game by flagging sketchy links in chats. Could this be the breakthrough your team's been waiting for against phishing and malware?

https://thedefendopsdiaries.com/enhancing-security-in-microsoft-teams-malicious-link-warnings-and-beyond/

#microsoftteams
#cybersecurity
#maliciouslinks
#phishingprotection
#microsoftdefender