Key Findings

• Threat actors affiliated with China have been attributed to a fresh set of cyber espionage campaigns targeting government and law enforcement agencies across Southeast Asia throughout 2025.

• The activity cluster, tracked by Check Point Research under the moniker "Amaranth-Dragon," shares links to the APT 41 ecosystem.

• Targeted countries include Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines.

• The campaigns were timed to coincide with sensitive local political developments, official government decisions, or regional security events.

• The attacks were "narrowly focused" and "tightly scoped," indicating efforts to establish long-term persistence for geopolitical intelligence collection.

• The threat actors exploited CVE-2025-8088, a security flaw in RARLAB WinRAR that allows for arbitrary code execution, about eight days after its public disclosure.

Background

The Chinese-linked threat group, dubbed "Amaranth-Dragon" by Check Point Research, has been actively targeting government and law enforcement agencies across Southeast Asia since 2025. The group's tactics, techniques, and procedures (TTPs) suggest a connection to the notorious APT 41 hacking collective.

The campaigns were highly targeted, focusing on specific government entities and timed to coincide with significant local political, economic, or security events in the region. This strategy was aimed at increasing the likelihood of successful compromise by aligning the malicious content with familiar, timely contexts.

Exploitation of CVE-2025-8088

The most notable aspect of the Amaranth-Dragon group's operations is their ability to rapidly weaponize newly disclosed vulnerabilities. In this case, they exploited CVE-2025-8088, a critical path traversal vulnerability in RARLAB WinRAR that allows for arbitrary code execution, within just 8 days of its public disclosure.

The group distributed a malicious RAR file that exploited the vulnerability, enabling the execution of arbitrary code and establishing persistence on the compromised machines. This swift integration of the vulnerability into their attack arsenal underscores the group's technical sophistication and preparedness.

Attack Methodology

The attackers primarily utilized spear-phishing emails to distribute the malicious RAR archives, which were often hosted on trusted cloud platforms like Dropbox to bypass traditional perimeter defenses. The archives contained a malicious DLL named "Amaranth Loader" that was launched through DLL side-loading, a well-known tactic among Chinese threat actors.

Once executed, the loader would contact an external server to retrieve an encryption key, which was then used to decrypt and execute an encrypted payload, often the open-source Havoc command-and-control (C2) framework.

In a notable evolution, the group was also observed deploying a fully functional remote access trojan (RAT) codenamed "TGAmaranth RAT" that leveraged a Telegram bot for C2 communication, further enhancing their stealth and operational security.

Operational Security and Persistence

The Amaranth-Dragon group exhibited a high degree of operational security throughout their campaigns. The attack infrastructure was configured to only accept traffic from IP addresses within the target countries, minimizing collateral damage and exposure. Additionally, the group implemented various anti-debugging and anti-antivirus techniques to resist analysis and detection.

The campaigns also exemplified the threat actors' ability to weaponize legitimate, trusted infrastructure to execute their targeted attacks while remaining clandestine. The group's links to APT 41 were evident through overlaps in their malware arsenal, suggesting a possible connection or shared resources between the two clusters.

Sources

• https://thehackernews.com/2026/02/china-linked-amaranth-dragon-exploits.html

• https://securityonline.info/10-days-to-exploit-amaranth-dragon-weaponizes-winrar-flaw-to-spy-on-se-asia/

• https://x.com/TheCyberSecHub/status/2019063453974180212

• https://x.com/Dinosn/status/2019067398607732864

• https://www.cypro.se/2026/02/04/china-linked-amaranth-dragon-exploits-winrar-flaw-in-espionage-campaigns/