Chinese APT group Amaranth-Dragon targets Southeast Asian government agencies using CVE-2025-8088 WinRAR vulnerability and sophisticated malware delivery techniques.
Chinese threat actors affiliated with Amaranth-Dragon have launched a series of cyber espionage campaigns targeting government and law enforcement agencies across Southeast Asia throughout 2025, exploiting a recently disclosed WinRAR vulnerability to establish long-term persistence on compromised systems.
Sophisticated Targeting of Regional Governments
The campaigns, tracked by Check Point Research, have specifically targeted countries including Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines. What makes these attacks particularly concerning is their precise timing - many were coordinated to coincide with sensitive local political developments, official government decisions, or regional security events.
"By anchoring malicious activity in familiar, timely contexts, the attackers significantly increased the likelihood that targets would engage with the content," Check Point researchers noted. The attacks were described as "narrowly focused" and "tightly scoped," suggesting deliberate efforts to maintain long-term persistence for geopolitical intelligence collection.
Exploitation of WinRAR Vulnerability CVE-2025-8088
The most notable aspect of Amaranth-Dragon's tradecraft is their exploitation of CVE-2025-8088, a now-patched security flaw in RARLAB WinRAR that allows arbitrary code execution when specially crafted archives are opened. The group began exploiting this vulnerability approximately eight days after its public disclosure in August 2025.
"The group distributed a malicious RAR file that exploits the CVE-2025-8088 vulnerability, allowing the execution of arbitrary code and maintaining persistence on the compromised machine," researchers explained. "The speed and confidence with which this vulnerability was operationalized underscores the group's technical maturity and preparedness."
Multi-Stage Attack Infrastructure
The attack chains demonstrate sophisticated operational security measures. The infrastructure is configured to interact only with victims in specific target countries, minimizing exposure and detection risk. Initial access likely occurs through spear-phishing emails containing archive files hosted on trusted cloud platforms like Dropbox.
Once a target opens the malicious RAR archive, it contains several components including a malicious DLL named Amaranth Loader. This loader is launched through DLL side-loading - a technique long-preferred by Chinese threat actors. The loader shares similarities with tools previously associated with APT41, including DodgeBox, DUSTPAN (StealthVector), and DUSTTRAP.
Advanced Malware Deployment
After execution, the Amaranth Loader contacts an external server to retrieve an encryption key, which is then used to decrypt an encrypted payload from a different URL. This payload is executed directly in memory, demonstrating sophisticated anti-analysis techniques. The final payload deployed is the open-source command-and-control framework Havoc.
Early campaign iterations from March 2025 used ZIP files containing Windows shortcuts (LNK) and batch files to decrypt and execute the Amaranth Loader. A late October 2025 campaign targeting the Philippines Coast Guard followed similar patterns.
Alternative RAT Deployment
In a September 2025 campaign targeting Indonesia, the threat actors distributed a password-protected RAR archive from Dropbox containing a fully functional remote access trojan (RAT) codenamed TGAmaranth RAT. This variant leverages a hard-coded Telegram bot for command and control instead of the standard Amaranth Loader.
The TGAmaranth RAT implements robust anti-debugging and anti-antivirus techniques and supports commands including:
/start- sends list of running processes/screenshot- captures and uploads screenshots/shell- executes commands and exfiltrates output/download- downloads specified files/upload- uploads files to the infected machine
Infrastructure Security Measures
All C2 infrastructure is secured by Cloudflare and configured to accept traffic only from IP addresses within the specific country or countries targeted in each operation. This approach allows the attackers to weaponize legitimate, trusted infrastructure while remaining operational clandestinely.
Connection to APT41 Ecosystem
The Amaranth-Dragon activity shows clear links to the APT41 ecosystem through overlaps in malware arsenal and development practices. Chinese threat actors are known for sharing tools, techniques, and infrastructure across groups.
"The development style, such as creating new threads within export functions to execute malicious code, closely mirrors established APT41 practices," Check Point noted. "Compilation timestamps, campaign timing, and infrastructure management all point to a disciplined, well-resourced team operating in the UTC+8 (China Standard Time) zone."
Broader Context: Mustang Panda's PlugX Diplomacy Campaign
This disclosure comes alongside revelations about another Chinese nation-state group, Mustang Panda, which has been targeting officials involved in diplomacy, elections, and international coordination across multiple regions between December 2025 and mid-January 2026.
Dubbed "PlugX Diplomacy," this campaign relied on impersonation and trust rather than software vulnerabilities. Victims were lured into opening files that appeared to be U.S.-linked diplomatic summaries or policy documents. Opening these files alone was sufficient to trigger compromise through a customized PlugX variant called DOPLUGS.
The attack chains use malicious ZIP attachments centered around official meetings, elections, and international forums. These contain LNK files that trigger PowerShell commands to extract and drop TAR archives containing:
- A legitimate signed executable vulnerable to DLL search-order hijacking
- An encrypted file containing the PlugX payload
- A malicious DLL sideloaded to load PlugX
The legitimate executable displays a decoy PDF document while DOPLUGS is installed in the background, demonstrating the attackers' focus on maintaining stealth and avoiding detection.
Implications for Cybersecurity Defense
These campaigns highlight the evolving sophistication of Chinese cyber espionage operations, particularly their ability to:
- Rapidly weaponize newly disclosed vulnerabilities
- Maintain operational security through infrastructure segmentation
- Leverage legitimate services and tools to bypass defenses
- Time attacks to maximize social engineering effectiveness
- Share and adapt tools across different threat actor groups
Organizations in government, diplomatic, and policy-oriented sectors should treat malicious LNK distribution methods and DLL search-order hijacking via legitimate executables as persistent, high-priority threats rather than isolated incidents.
The convergence of technical sophistication, geopolitical targeting, and operational discipline demonstrated by groups like Amaranth-Dragon and Mustang Panda represents a significant challenge for cybersecurity defenders across Southeast Asia and beyond.
Comments
Please log in or register to join the discussion