DragonBreath: Dragon in the Kernel

Dragon in the Kernel: Dragoncore_k.sys, Zhengzhou 403 & the APT31/APT-Q-27 Nexus

Advisory Report

Dragoncore_k.sys & Zhengzhou 403 Network Technology Co., Ltd.

0-Day BYOVD Vulnerability | Shell Company Analysis | Dragon Breath APT-Q-27 | APT31 Personnel Nexus

Abstract

This report documents a critical 0-day vulnerability in dragoncore_k.sys, a Windows kernel-mode driver bearing a valid Microsoft WHQL signature issued to Zhengzhou 403 Network Technology Co., Ltd. The driver exposes an unauthenticated IOCTL interface that permits any process with local administrative rights to terminate arbitrary processes from Ring 0 — including those protected by Protected Process Light (PPL) — completely blinding EDR and AV solutions.

Investigation of the signing entity reveals a pattern consistent with a Chinese state-adjacent shell company operating within the Dragon Breath APT (APT-Q-27) ecosystem. Three independent evidence streams converge:

1. The company's GlobalSign EV certificate was explicitly revoked for abuse.
2. Its registered address resolves to a mixed-use high-rise tower with no technology company presence, co-located with hotel serviced apartments on the same floor, with no evidence of any operational business activity.
3. The same certificate signed letsvpn-3.12.3.exe on MalwareBazaar, directly matching the LetsVPN decoy installer pattern usedd in Elastic Security Labs' documented RONINGLOADER / Dragon Breath campaign

The driver's IOCTL kill mechanism is functionally identical to ollama.sys, the kernel driver used in that same APT campaign. Additionally, a CobaltStrike C2 endpoint (oss-aws.1nb.xyz) was identified shared across all three Zhengzhou 403-signed samples, and a personnel-level connection was identified between the company founder Zhang Liye (张立业) and the OFAC-sanctioned APT31 front company Wuhan Xiaoruizhi.

1. Vulnerability Technical Analysis

1.1 Driver Overview

1.2 IOCTL Handler Vulnerability

Static reverse engineering of the driver's IRP dispatch table reveals that the handler for IOCTL code 0x22201C accepts a user-supplied buffer containing a Process ID and passes it directly — without any validation — to ZwTerminateProcess. Three vulnerability classes are present:

Figure 1: Reverse-engineered IOCTL handler for 0x22201C in dragoncore_k.sys — passes user-supplied PID directly to ZwTerminateProcess.

Missing Privilege and Context Validation
The handler does not verify the calling thread's integrity level, does not require SeDebugPrivilege, and does not check whether the target is a PPL-protected process. Since the call is issued from Ring 0, the Windows kernel treats it as a trusted system request, bypassing all user-mode PPL enforcement.

Insecure Device Object ACL
The device object at \\.\3e0ac7f is created without a restrictive Security Descriptor. Any process with local administrative rights can obtain a handle via CreateFileA with no additional authentication.

Unvalidated Input Buffer Size
The handler does not validate buffer size before processing, potentially introducing secondary memory corruption primitives — requires further research.

1.3 Exploitation Chain

1. Driver Deployment — Dropped and registered as a Windows service via CreateServiceA. Valid WHQL signature satisfies DSE and HVCI requirements without triggering code integrity violations.
2. Handle Acquisition — Payload calls CreateFileA against \\.\3e0ac7f to obtain a kernel-mode handle.
3. IOCTL Trigger — Payload constructs buffer with target PID (e.g., MsMpEng.exe) and issues DeviceIoControl(0x22201C).
4. Kernel-Mode Termination — Driver executes ZwTerminateProcess from Ring 0. The kernel honors this unconditionally, circumventing PPL entirely.

1.3.1 Dropper Ecosystem — VirusTotal Execution Parent Analysis

VirusTotal relationship data for dragoncore_k.sys (SHA-256: 1da4f7f...) reveals 16 distinct execution parents — all classified as Win32 EXE with detection rates ranging from 47/70 to 57/72, confirming the driver is exclusively deployed via purpose-built malicious droppers rather than any legitimate software context. No legitimate execution parent has been identified across any submission.

The dropper submissions cluster tightly between December 21, 2024 and January 24, 2025 — immediately following the driver's November 2024 compilation date — indicating a rapid operational deployment window consistent with a coordinated campaign rollout rather than opportunistic distribution.

Figure 2: VirusTotal relationship view of dragoncore_k.sys execution parents — 16 purpose-built droppers, no legitimate parent.

1.4 Impact Assessment

1.5 Driver Code Analysis: Purpose-Built Malware Confirmation

Detailed reverse engineering of the driver's primary dispatch routine (beyond the IOCTL kill interface) reveals that dragoncore_k.sys contains a fully instrumented process inspection and in-memory command-line modification engine. This functionality has no legitimate defensive or performance-monitoring purpose and confirms the driver was purpose-built for offensive malware deployment.

Figure 3: Reverse-engineered PEB attachment and in-memory command-line modification routine inside dragoncore_k.sys.

1.6 Certificate Revocation Analysis

Key findings:

• EV certificates require rigorous physical and legal identity verification. GlobalSign verifies the legal entity existence, physical address, and authorized applicant. The company either passed genuine verification or successfully deceived it at issuance time.
• Explicit revocation requires deliberate action by GlobalSign — triggered by abuse reports, law enforcement contact, or security industry notification. Same mechanism used against Zhuhai Liancheng Technology and Ningbo Zhuo Zhi Innovation.
• Critical timeline: dragoncore_k.sys compiled November 2024; certificate issued March 28, 2025. The driver was signed post-compilation with the company's own certificate. The stolen certificate hypothesis is definitively eliminated.

Figure 4: GlobalSign EV certificate explicit revocation — Mon May 19 17:41:01 2025.

2. Company Analysis & Shell Company Network

2.1 Zhengzhou 403 Network Technology — Profile

Figure 5: Aiqicha — Zhengzhou 403 company registration page.

Zhengzhou 403 Network Technology Co., Ltd. (郑州市肆零叁网络科技有限公司) is registered in Zhengzhou, Henan Province, China. The company held a WHQL hardware developer account with Microsoft and an EV code-signing certificate from GlobalSign — subsequently explicitly revoked for abuse (see Section 1.6 for full certificate revocation analysis). No verifiable product portfolio, public website, commercial history, or customer base has been identified. The company exists solely as a legal registration and certificate-holding vehicle.

Key Personnel:

Figure 6: Aiqicha key personnel record for Zhengzhou 403 — Zhang Liye and Li Xiaoyan.

Figure 7: Aiqicha — Zhengzhou 403 key personnel (Zhang Liye + Li Xiaoyan).

Business Scope: Information technology consulting services; computer system services; computer hardware, software and auxiliary equipment retail; software sales; software development; communication equipment sales; network and information security software development; IoT technology services; technology services, development, consulting, exchange, transfer and promotion; electronic product sales. Note: deliberately written to justify acquisition of an EV code-signing certificate and WHQL driver submission.

2.2 Physical Address Analysis

Vanke Yu Building 2 — floor breakdown:

• Ground floor — retail shops (China Mobile, convenience stores)
• Mid floors — residential apartments
• 6th floor — Evian Hotel (serviced apartments)
• 26th floor — Vanke Hongsheng Business Residence + orthodontists / medical
• Room 618 (618室) — registered address for Zhengzhou 403 Network Technology

Figure 8: Vanke Yu Building 2 — directory and floor breakdown showing mixed residential / serviced apartment occupancy.

Assessment: mixed-use high-rise, not a dedicated shell farm. The orthodontists and medical services on upper floors are typical of Chinese mixed-use towers where commercial units are scattered throughout.

Figure 9: Vanke Yu Building 2 — Room 618 registered address for Zhengzhou 403 Network Technology.

Room 618 is located on the 6th floor of the building:

Figure 10: Vanke Yu Building 2 — mapping view 2.

Note: The number 4 (四, sì) is considered unlucky in Chinese culture due to its near-homophony with "death" (死, sǐ). It is not uncommon for buildings to skip the 4th floor entirely. Room 618 is listed on the 6th floor, but if the building skips the 4th floor, the unit may physically be located on the 5th floor.

Further searches confirm that the 6th floor of Vanke Yu Building 2 — the floor on which Room 618 is registered — is occupied primarily by hotel and short-stay accommodation, with Evian Hotel confirmed as a co-occupant on the same floor, rendering any meaningful physical verification of Zhengzhou 403's presence effectively impossible.

Note also that the office space is shared with a hotel, Evian Hotel:

Figure 11: Evian Hotel — serviced apartments in the same building as Zhengzhou 403.

2.3 Successor Shell Company: Zhengzhou Lianliu Network Technology

Figure 12: Aiqicha registration page for the successor shell company — Zhengzhou Lianliu Network Technology Co., Ltd.

Following the explicit revocation of the GlobalSign EV certificate in May 2025 and the operating abnormality listing of Zhengzhou 403 in July 2025, Zhang Liye registered a successor shell company in August 2025. This pattern — creating a new shell after the first is compromised or flagged — is consistent with MSS operational security tradecraft.

Registered Address: Room 405, 3rd Floor, Zone C, Building 1, Baifo Community North Gate Commercial Building, Compound 4, Shangdu Jiayuan, Zhengdong New District, Zhengzhou

Figure 13: Mapping view of Baifo Community Building 1, the registered address for Zhengzhou Lianliu Network Technology.

Physical OSINT Assessment: The registered address resolves to a small commercial building whose 3rd floor is occupied by hair salons, tobacco/alcohol shops and importantly communications departments.

Figure 14: Street-level view of the Baifo Community Building 1 — the registered address resolves to a small commercial building.

Key Personnel: Zhang Liye holds every corporate position himself. Unlike Zhengzhou 403, Lianliu lists no supervisor. Notably, Zhengzhou 403 registered one supervisor (Li Xiaoyan), whereas Lianliu registered none at all — suggesting Zhang Liye eliminated even the nominal compliance role when setting up the successor entity.

Figure 15: Likely office space at the Zhengzhou Lianliu registered address.

2.4 Neighbouring Shell Companies — Zhengzhou Lianliu

The following provides a more comprehensive overview of units identified in the immediate vicinity that may warrant further investigation:

Open-source mapping of the immediate vicinity reveals several entities of note co-located on the 3rd floor of Building 1, Baifo Residential Area, Shangdu Jiayuan. Three entities sharing the "Communications Department" (通讯部) naming convention were identified in close proximity to one another:

• 旺铃通讯部 (Wangling Communications Department) — Unit 064, 3rd Floor, Building 1, Baifo Residential Area, Shangdu Jiayuan, Shangdu Road Subdistrict, Zhengdong New District, Zhengzhou — categorised as 购物 (Shopping). Not yet open.

Figure 16: Mapping listing for 旺铃通讯部 (Wangling Communications Department) — Unit 064.

• 尚楷通讯部 (Shangkai Communications Department) — Unit 067, 3rd Floor, Building 1, Baifo Residential Area, Shangdu Jiayuan, Shangdu Road Subdistrict, Zhengdong New District, Zhengzhou — categorised as 公司企业 (Corporate). Under construction.

Figure 17: Mapping listing for 尚楷通讯部 (Shangkai Communications Department) — Unit 067.

• 联勋通讯部 (Lianxun Communications Department) — Unit 069, 3rd Floor, Building 1, Baifo Residential Area, Shangdu Jiayuan, Shangdu Road Subdistrict, Zhengdong New District, Zhengzhou — categorised as 政府机构 (Government Institution). Not yet open.

Figure 18: Mapping listing for 联勋通讯部 (Lianxun Communications Department) — Unit 069, anomalously categorised as a Government Institution.

It is notable that three entities sharing a distinctive naming convention and operating in physical proximity are categorised inconsistently across Shopping, Corporate, and Government Institution classifications respectively. No online presence could be identified for Wangling or Lianxun Communications Departments. Lianxun's classification as a Government Institution is particularly anomalous given the complete absence of any corresponding official registration or government directory listing.

Also present on the same floor is 河南逊利优贸易有限公司 (Henan Xunliyou Trading Co., Ltd.) at Unit 118, 3rd Floor, Building 1, Baifo Residential Area, Shangdu Jiayuan — a trading company with an estimated rather than confirmed location per mapping data.

Figure 19: Mapping listing for 河南逊利优贸易有限公司 (Henan Xunliyou Trading Co., Ltd.) — Unit 118.

2.5 Chinese APT Front Company — Comparative Analysis

3. Dragon Breath APT-Q-27 Attribution

3.1 LetsVPN — The Operational Link

The most significant attribution indicator is the direct operational overlap between the Zhengzhou 403 certificate and Dragon Breath APT documented by Elastic Security Labs in November 2025 (RONINGLOADER).

The Zhengzhou 403 MalwareBazaar sample is named letsvpn-3.12.3.exe. The RONINGLOADER dropper uses letsvpnlatest.exe as its LetsVPN-themed decoy. Both are signed malicious payloads using the LetsVPN brand — an exclusive operational lure used by Chinese APT actors targeting Chinese-speaking users seeking censorship circumvention software.

3.2 Technical Comparison: dragoncore_k.sys vs. ollama.sys

IOCTL codes 0x22201C and 0x222000 are structurally identical: both use METHOD_BUFFERED / FILE_ANY_ACCESS in the 0x222xxx device type range. The only difference is the function code (7 vs 0) — consistent with version iteration of the same codebase rather than independent development.

3.3 LetsVPN as a Chinese APT Lure — Ecosystem

3.4 Attribution Assessment

4. APT31 Personnel Nexus

4.1 Zhang Liye / Wuhan Xiaoruizhi Connection

Figure 20: Zhang Liye personnel profile material connecting Zhengzhou 403 founder to the APT31 / Wuhan Xiaoruizhi ecosystem.

Cross-referencing the founding personnel of Zhengzhou 403 against published APT attribution research reveals a direct personnel-level connection to the confirmed APT31 MSS front company Wuhan Xiaoruizhi Science and Technology (武汉晓睿智科技有限公司).

Zhang Liye — Personal Details:

Personnel cross-reference summary:

• Zhang Liye (张立业) — shareholder and owner of two companies:
  1. 郑州市肆零叁网络科技有限公司 (Zhengzhou 403 Network Technology) — certificate revoked, operating abnormal
  2. 郑州市联流网络科技有限公司 (Zhengzhou Lianliu Network Technology) — successor shell, active
• Li Xiaoyan (李晓燕) — Supervisor at Zhengzhou 403 only; confirmed only linked to 403 and has no role at Lianliu or any other entity.

4.2 Breachedforums / WoyouLuma Leak Corroboration

Figure 21: Breached.vc post by 'WoyouLuma' advertising a 633MB database of identified Chinese MSS operators in Wuhan.

On December 5, 2022, a user identified as 'WoyouLuma' posted on Breached.vc claiming to sell a 633MB database containing the identities of more than 100 hackers working for the Chinese government MSS in Wuhan.

Figure 22: WoyouLuma database description — names, photos, national ID numbers, phone numbers, and home addresses of MSS operators in Wuhan.

The database was described as containing names, photos, national ID numbers, phone numbers, and home addresses of MSS operators and officials of the Wuhan National Security Bureau responsible for organising and coordinating cyberattacks, as well as names and addresses of supporting companies and lists of hacked entities.

The poster went on to claim that Wuhan Xiaoruizhi was a cover company for MSS hacking activity in Wuhan. The company had a few teams working for the MSS, but in 2020, teams started working under new companies. As Intrusion Truth noted: "These are some astonishing claims, but at team Intrusion Truth we are nothing if not diligent and wanted to get to the bottom of this ourselves. Could we also link Wuhan Xiaoruizhi to the MSS? Could we link it to an APT?"

The post was subsequently sold to an exclusive buyer for $50,000 USD and later removed from the forum following the Breachforums takedown. A preview screenshot showed folder names containing Chinese surnames and partial national ID numbers, the majority bearing the 421 prefix (Hubei Province).

Intrusion Truth independently verified 32 Xiaoruizhi employees through separate government documents — not from the WoyouLuma database. Source: Intrusion Truth — Trouble in Paradise

Ransom-ISAC has independently matched Zhang Liye against the Intrusion Truth published list. He is a confirmed match. The second company personnel member (Li Xiaoyan) does not appear in any published Xiaoruizhi employee list and remains unattributed.

4.3 Li Xiaoyan — Secondary Subject

Li Xiaoyan (李晓燕) is listed as Supervisor (监事) of Zhengzhou 403 Network Technology Co., Ltd. She was registered in this role from the company's founding date of January 22, 2024.

Figure 23: Aiqicha record for Li Xiaoyan — Supervisor (监事) of Zhengzhou 403 Network Technology.

4.4 APT31 Background

APT31 (Violet Typhoon / Judgment Panda / ZIRCONIUM) conducts cyber operations on behalf of the Hubei State Security Department (HSSD), a provincial MSS branch in Wuhan (US DoJ indictment, March 2024; Rewards for Justice). Documented targets include:

• US White House, DoJ, Commerce, Treasury, State Department
• US Congress members (Democratic and Republican senators)
• Defense Industrial Base, aerospace, telecom, energy, financial sectors
• Norwegian government (PST attribution, 2018), Finnish Parliament (NBI investigation, 2020–2021), Hong Kong pro-democracy activists

In 2010, HSSD established Wuhan Xiaoruizhi Science and Technology as a front company. The US DoJ March 2024 indictment named seven defendants and formally designated Wuhan XRZ as an MSS front company. Concurrent with the indictment, the US Treasury imposed sanctions on Wuhan XRZ and two of the defendants, and the Department of State announced a Rewards for Justice bounty of up to $10 million.

4.5 Dual-Track Attribution

These tracks are not mutually exclusive — the Chinese contractor ecosystem routinely sees individuals serve multiple MSS-affiliated entities simultaneously, and Zhengzhou 403 may function as shared signing infrastructure spanning both APT-Q-27 operational activity and APT31 personnel networks.

5. MalwareBazaar Samples & C2 Infrastructure

5.1 Certificate-Tagged Sample Catalog

Three samples bearing the Zhengzhou 403 EV certificate (serial 4668EDFA623554CF0B48F401) are cataloged on MalwareBazaar under the tag Zhengzhou-403-Network-Technology-Co-Ltd. All three are classified as either CobaltStrike beacons or signed loaders (possibly DonutLoader or Telegram-based loading), and all three communicate with the same CobaltStrike C2 endpoint.

All three samples are signed with the same explicitly revoked GlobalSign EV certificate and tagged on MalwareBazaar with loader and CobaltStrike indicators. The presence of DonutLoader or Telegram-based loading mechanisms is consistent with Chinese APT multi-stage deployment chains where a signed loader serves as the initial trust-bypass stage before deploying shellcode or retrieving the final payload from a messaging platform channel.

Sample #2 — tsetup-x64.5.13.1.exe: Trojanized Telegram Desktop Confirmed

Dynamic analysis of tsetup-x64.5.13.1.exe (SHA-256: ce38c96a69a8a1c6828e11742355c41b878198e08d7efbe73eefa1b5cbe623c5) conducted via JoeSandbox (Analysis ID: 1679094) confirms this sample is a trojanized Telegram Desktop installer bearing the explicitly revoked Zhengzhou 403 EV certificate. The filename tsetup-x64.5.13.1.exe is a direct impersonation of the legitimate Telegram Desktop installer naming convention (tsetup = Telegram setup). The sample presents as a functional Telegram installer to avoid victim suspicion while executing its malicious payload chain — structurally identical to the dual-installer pattern documented in RONINGLOADER, where a benign decoy application is installed alongside the malicious component.

This finding directly corroborates QiAnXin's attribution of trojanized Telegram installers to Dragon Breath APT-Q-27, and confirms that Zhengzhou 403 Network Technology Co., Ltd. served as the certificate signing vehicle for both the LetsVPN-themed and Telegram-themed lure families within the same campaign infrastructure. The use of a single compromised EV certificate across multiple lure brands indicates centralized certificate management at the operator level rather than per-campaign certificate acquisition.

5.2 Shared C2 Endpoint: oss-aws.1nb.xyz

Investigation of the three MalwareBazaar samples bearing the Zhengzhou 403 certificate reveals a shared CobaltStrike Beacon C2 endpoint: http://oss-aws.1nb.xyz/

Domain masquerade analysis: oss-aws.1nb.xyz — "oss" references Alibaba Cloud Object Storage Service; "aws" references Amazon Web Services. Engineered to appear as a legitimate cloud storage endpoint in SIEM alerting. Consistent with Dragon Breath / APT-Q-27 documented use of cloud-mimicry domains.

NgxFence significance: Deployment of a Chinese WAF for a CobaltStrike C2 is consistent with Chinese threat actor operational patterns documented by Hunt.io and Rapid7 (2025–2026), where Chinese CDN providers are used to mask C2 origin and return 403/404 to non-beacon requests while routing valid beacon traffic to the actual team server.

5.3 jnsupx.exe — Dropper Analysis & Kill Chain Reconstruction

Dynamic analysis of jnsupx.exe (SHA-256: 8fc822b3e285030c6dcb36d7b9a52426e2b3eeaf643a28ef2cfcd1cb0709906f, 1,014.50 KB, detection: 57/72) reveals the primary dropper responsible for deploying dragoncore_k.sys into target environments. The sample is UPX-packed, contains debug environment detection, persistence mechanisms, self-deletion capability, and long-sleep anti-sandbox controls — a behavioral profile consistent with a mature, operationally deployed loader.

Figure 24: Dynamic analysis of jnsupx.exe — UPX-packed dropper deploying dragoncore_k.sys.

6. MITRE ATT&CK Mapping

7. Indicators of Compromise

7.1 Files

7.2 Certificate

7.3 Network

7.4 Behavioral Indicators

• CreateService events referencing dragoncore_k.sys or drivers signed by certificate serial 4668EDFA623554CF0B48F401
• CreateFile calls targeting \\.\3e0ac7f
• DeviceIoControl calls with code 0x22201C
• Abrupt termination of EDR/AV processes (MsMpEng.exe, CrowdStrike Falcon, Carbon Black, SentinelOne) without a preceding uninstall event
• Service registration for kernel-mode drivers signed by unrecognized Chinese entities not in the Microsoft Vulnerable Driver Blocklist
• Outbound HTTP beaconing to oss-aws.1nb.xyz at periodic intervals

7.5 YARA Rule

rule BYOVD_dragoncore_k_sys {
  meta:
    description = "Detects dragoncore_k.sys BYOVD driver - Zhengzhou 403 / Dragon Breath APT"
    author      = "Alex Necula"
    date        = "2026-04-22"
    tlp         = "WHITE"

  strings:
    $device = { 5C 00 5C 00 2E 00 5C 00 66 00 33 00 65 00
                30 00 61 00 63 00 37 00 66 00 }
    $ioctl  = { 1C 20 22 00 }

  condition:
    uint16(0) == 0x5A4D and filesize < 500KB and ($device or $ioctl)
}

8. Disclosure & Defensive Recommendations

8.1 Coordinated Vulnerability Disclosure

This vulnerability is being addressed via CVD. Primary remediation target: inclusion of dragoncore_k.sys in the Microsoft Windows Vulnerable Driver Blocklist (Driver.stl). Reported to MSRC at https://msrc.microsoft.com/report/ under Windows Hardware Developer Program abuse.

8.2 Immediate Actions

• Block by hash: Deploy WDAC or AppLocker policy blocking dragoncore_k.sys by SHA-256 1da4f7f001d239a54fab50eb7c3cbc985db392a3d4405e19c3a5d2035d591004
• Block by cert serial: Add 4668EDFA623554CF0B48F401 to EDR block rules and SIEM alerting
• Enable Microsoft Vulnerable Driver Blocklist: Settings → Windows Security → Device Security → Core Isolation → Microsoft Vulnerable Driver Blocklist: ON
• Block C2: Add oss-aws.1nb.xyz to DNS blocklist and firewall rules immediately

8.3 Detection Rules

• Alert on CreateService events for kernel-mode drivers signed by novel unrecognized Chinese entities
• Alert on CreateFile calls to \\.\3e0ac7f and DeviceIoControl(0x22201C)
• Hunt retroactively for driver hash across endpoint telemetry
• Monitor for PEB CommandLine field modification events via kernel ETW providers (MDE Advanced Hunting)

8.4 Strategic Measures

• Enforce HVCI on all endpoints
• Restrict SeLoadDriverPrivilege to minimum necessary accounts
• Subscribe to MalwareBazaar / VirusTotal feeds filtered by signing certificate CN for proactive driver threat intelligence
• Treat the signing entity as a threat indicator — any file signed by an unrecognized Chinese technology company with no verifiable commercial history should be treated with extreme suspicion

9. Conclusion

dragoncore_k.sys represents a credible, immediately weaponizable threat to enterprise endpoint security. Its zero-input-validation IOCTL interface, combined with a valid WHQL signature from Zhengzhou 403 Network Technology Co., Ltd., makes it an effective BYOVD component for EDR neutralization in targeted intrusions.

The surrounding intelligence elevates this finding well beyond a routine driver vulnerability:

• EV certificate explicitly revoked by GlobalSign
• Registered address confirmed as an uninhabited hotel-floor address.
• letsvpn-3.12.3.exe signed by the same certificate directly matches the Dragon Breath RONINGLOADER LetsVPN lure pattern
• IOCTL architecture (0x22201C vs 0x222000) supports version iteration of the same codebase
• Shared CobaltStrike C2 (oss-aws.1nb.xyz) across all three certificate-tagged samples confirms active operational infrastructure
• In-memory command-line modification engine confirms purpose-built offensive tooling, not accidental vulnerability
• Personnel-level connection between founder Zhang Liye and OFAC-sanctioned APT31 front company Wuhan Xiaoruizhi introduces a dual-track APT attribution assessment

This research demonstrates that BYOVD threat intelligence must not stop at the technical vulnerability. The signing entity is a first-class intelligence artifact. Shell company structures, EV certificate acquisition patterns, revocation histories, co-signed payload families, and personnel records are underutilized attribution signals that can bridge kernel-level vulnerability analysis with APT campaign tracking.

10. References

1. Elastic Security Labs — RONINGLOADER: DragonBreath's New Path to PPL Abuse (Jia Yu Chan, Salim Bitam, November 15, 2025)
2. US DOJ Indictment — APT41 / Chengdu 404 Network Technology (August 2020)
3. Mandiant — Hunting for Attestation Signed Malware (Google Cloud Blog, 2022)
4. Sophos — Signed Driver Malware Moves Up the Software Trust Chain (December 2022)
5. Rapid7 — Winos 4.0 via Trojanized LetsVPN Installers / Catena Loader (May 2025)
6. Cyble Research — New Malware Campaign Targets LetsVPN Users (November 2023)
7. Trend Micro — Void Arachne / LetsVPN / Winos Backdoor (June 2024)
8. Microsoft Security Advisory ADV230001 — Maliciously Signed WHQL Drivers (2023)
9. Intrusion Truth — Trouble in Paradise: Wuhan Xiaoruizhi Science and Technology (May 2023)
10. malware.news — Trouble in Paradise (APT31 / Zhang Liye analysis, 2023)
11. US Treasury OFAC — Sanctions: Wuhan Xiaoruizhi Science and Technology Co., Ltd. and APT31 operators (March 2024)
12. US DoJ — Indictment: Seven APT31 Operators / Wuhan Xiaoruizhi (March 2024)
13. UK Government — Sanctions: APT31 / Wuhan XRZ / UK Electoral Commission intrusion (2024)
14. Hunt.io — Inside China's Hosting Ecosystem: 18,000+ Malware C2 Servers Mapped (January 2026)
15. MalwareBazaar — Tag: Zhengzhou-403-Network-Technology-Co-Ltd
16. ReliaQuest — Anxun and Chinese APT Activity (2025)
17. SecurityOnline — Dragon Breath APT Deploys RoningLoader (November 2025)
18. JoeSandbox — Analysis ID 1679094: tsetup-x64.5.13.1.exe dynamic analysis (trojanized Telegram Desktop installer)
19. QiAnXin Threat Intelligence Blog — Dragon Breath APT-Q-27 trojanized Telegram installer attribution
20. US Department of State — Rewards for Justice: APT31 / Wuhan Xiaoruizhi Science & Technology Company, Ltd.
21. Norway Police Security Service (PST) / Cyber Defense Magazine — Norway Blames China-Linked APT31 for 2018 Government Hack (June 2021)
22. The Hacker News — Finland Blames Chinese Hacking Group APT31 for Parliament Cyber Attack (March 2024)