Dragon Breath’s Leaked Driver Shatters Windows Security and Neutralizes EDRs

The Chinese cyber-espionage collective Dragon Breath, also recognized by the designation APT-Q-27, has purportedly acquired a formidable new instrument for infiltrating corporate infrastructures. According to a report by Ransom-ISAC, investigators identified a vulnerable driver, dragoncore_k.sys, bearing a valid Microsoft WHQL digital signature. This component empowers adversaries to dismantle Windows security protocols, effectively neutralizing antivirus solutions and Endpoint Detection and Response (EDR) systems.

Analysts posit that this discovery is inextricably linked not only to malicious infrastructure but also to a sophisticated network of shell corporations allegedly established to facilitate the legitimization of Chinese malware.

Forensic scrutiny revealed that the driver was authenticated by Zhengzhou 403 Network Technology Co., Ltd. Due to a critical flaw in the processing of IOCTL requests, the driver permits the termination of arbitrary processes at the Windows kernel level, including fortified system services and security products. An assailant possessing local administrative privileges can leverage this driver to suppress Microsoft Defender, CrowdStrike Falcon, SentinelOne, and analogous solutions without triggering system alerts.

The researchers contend that dragoncore_k.sys was engineered specifically as an offensive utility. Beyond its process-termination capabilities, the underlying code integrates mechanisms for sandbox evasion, rate-limiting of activities, and the manipulation of command-line parameters within process memory. This methodology allows the actual operational behavior of the malware to remain obscured from monitoring frameworks.

Particular attention was directed toward Zhengzhou 403. While the entity is formally registered in Zhengzhou, China, the designated address corresponds to a residential edifice comprising hotel apartments, with no discernible traces of an information technology firm. The Extended Validation (EV) certificate utilized to sign the driver was subsequently revoked by the GlobalSign certification authority following reports of its misappropriation.

The investigation further illuminated a nexus between Zhengzhou 403 and the broader Dragon Breath ecosystem. The same certificate was employed to authenticate malicious files masquerading as legitimate installers for LetsVPN and Telegram Desktop. All identified samples communicated with a unified Cobalt Strike command-and-control server—oss-aws.1nb.xyz. Analysts observed that this tactical approach mirrors the methodology previously observed in the RONINGLOADER campaign.

The figure of Zhang Liye, the founder of Zhengzhou 403, has also piqued the interest of investigators. The report suggests a potential overlap with Wuhan Xiaoruizhi Science and Technology, an entity previously linked by United States authorities to the APT31 group. While definitive evidence of Zhang Liye’s participation in APT31 operations remains elusive, specialists deem the coincidence too significant to dismiss.

Microsoft has been formally apprised of the defect. Researchers are currently advocating for the inclusion of dragoncore_k.sys in the Windows Vulnerable Driver Block List to preclude the loading of the file on protected systems.