Threat Research

RoningLoader is a new, advanced loader used in a recent DragonBreath (APT-Q-27) campaign that distributes a modified gh0st RAT through trojanized NSIS installers posing as legitimate apps like Chrome and Microsoft Teams....

We uncovered two linked 2025 malware campaigns that used large-scale brand impersonation to deliver Gh0st RAT variants to Chinese-speaking users. Across these operations, attackers evolved from simple droppers to multi-stage chains abusing legitimate signed software to evade defenses....

A recent intrusion beginning in August 2025 revealed China-nexus threat actors using a technique called log poisoning to deploy a China Chopper web shell on vulnerable web servers. The attackers used AntSword for control and introduced a lesser-known tool, Nezha, to run commands and later deploy Ghost RAT. This marks the first known use of Nezha in web compromises....

A malware campaign active since May 2025 has been targeting Chinese-speaking users, delivering multiple remote access trojans, including ValleyRAT, FatalRAT, and a newly identified variant dubbed kkRAT. kkRAT shares code similarities with Ghost RAT and Big Bad Wolf (大灰狼), commonly used by China-based threat actors....

In June 2025, two cyberattack campaigns—Operation GhostChat and Operation PhantomPrayers—targeted the Tibetan community, exploiting increased online activity surrounding the Dalai Lama's 90th birthday. Threat actors linked to a China-nexus APT group compromised a legitimate website to redirect users via malicious links....