top of page

Dragon Breath APT group uses novel DLL side-loading technique in attacks

An advanced persistent threat (APT) actor known as Dragon Breath has been observed adding new layers of complexity to its attacks by adopting a novel DLL side-loading mechanism. "The attack is based on a classic side-loading attack, consisting of a clean application, a malicious loader, and an encrypted payload, with various modifications made to these components over time," Sophos researcher Gabor Szappanos said. "The latest campaigns add a twist in which a first-stage clean application 'side'-loads a second clean application and auto-executes it. The second clean application side-loads the malicious loader DLL. After that, the malicious loader DLL executes the final payload." Operation Dragon Breath, also tracked under the names APT-Q-27 and Golden Eye, was first documented by QiAnXin in 2020, detailing a watering hole campaign designed to trick users into downloading a trojanized Windows installer for Telegram. A subsequent campaign unearthed by the Chinese cybersecurity company in May 2022 highlighted the continued use of Telegram installers as a lure to deploy additional payloads such as gh0st RAT. Dragon Breath is also said to be part of a larger entity called Miuuti Group, with the adversary characterized as a "Chinese-speaking" entity targeting the online gaming and gambling industries, joining the likes of other Chinese activity clusters like Dragon Castling, Dragon Dance, and Earth Berberoka. While much is still unknown about Dragon Breath and their motives, what is certain is that they are a threat to be reckoned with. Their use of novel techniques and their persistence in carrying out attacks despite being detected makes them a dangerous APT group. Cybersecurity researchers and companies should continue to monitor Dragon Breath and their activities in order to better defend against their attacks.


bottom of page