Ethical Hacking News
Amaranth-Dragon: A Sophisticated Chinese Cyber Espionage Campaign Targeting Southeast Asia
Threat actors associated with China-linked Amaranth-Dragon exploits have successfully breached the security of government and law enforcement agencies across Southeast Asia. The campaign is linked to APT41 ecosystem and utilizes legitimate infrastructure and tailored lures to maintain stealth. Organizations must remain vigilant and implement robust security measures to protect themselves against these types of attacks.
The Amaranth-Dragon exploit was used to breach the security of government and law enforcement agencies in Southeast Asia. The threat actors were affiliates of China's APT41 ecosystem. The campaign targeted countries including Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines. The attacks exploited a vulnerability in RARLAB WinRAR to gain arbitrary code execution. The attackers used a malicious RAR file, an open-source command-and-control framework called Havoc, and a remote access trojan (RAT) codenamed TGAmaranth RAT.
Threat Intelligence / Malware
In a recent report released by Check Point Research, it has been revealed that China-linked Amaranth-Dragon exploits have successfully breached the security of government and law enforcement agencies across Southeast Asia. The threat actors associated with this campaign have been identified as affiliates of China's APT41 ecosystem.
The Amaranth-Dragon exploit was discovered to be linked to a previously undocumented activity cluster, which has been tracked by Check Point Research since 2025. This cluster shares numerous similarities with the APT41 hacking crew, leading researchers to believe that it may be part of the same operation. The campaign targeted countries such as Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines.
The attacks were timed to coincide with sensitive local political developments, official government decisions, or regional security events. This strategy allowed the attackers to increase the likelihood that their targets would engage with the malicious content. The campaigns were also characterized by a high degree of stealth, with the attack infrastructure configured to interact only with victims in specific target countries.
The most notable aspect of this campaign was the exploitation of CVE-2025-8088, a now-patched security flaw impacting RARLAB WinRAR that allows for arbitrary code execution when specially crafted archives are opened by targets. The group distributed a malicious RAR file that exploits the vulnerability, allowing the execution of arbitrary code and maintaining persistence on the compromised machine.
The speed and confidence with which this vulnerability was operationalized underscored the technical maturity and preparedness of the threat actors involved. However, the exact initial access vector remains unknown at this stage.
Researchers also discovered that the malicious payload deployed as part of the attack is an open-source command-and-control (C2 or C&C) framework known as Havoc. The loader used in this campaign shares similarities with tools such as DodgeBox, DUSTPAN (aka StealthVector), and DUSTTRAP, which have been previously identified as used by the APT41 hacking crew.
A similar attack sequence was also identified in a late October 2025 campaign using lures related to the Philippines Coast Guard. In another campaign targeting Indonesia in early September 2025, the threat actors opted to distribute a password-protected RAR archive from Dropbox so as to deliver a fully functional remote access trojan (RAT) codenamed TGAmaranth RAT instead of Amaranth Loader that leverages a hard-coded Telegram bot for C2.
The TGAmaranth RAT supports a range of commands, including /start to send a list of running processes from the infected machine to the bot, /screenshot to capture and upload a screenshot, /shell to execute a specified command on the infected machine and exfiltrate the output, download to download a specified file from the infected machine, and upload to upload a file to the infected machine.
The C2 infrastructure is secured by Cloudflare and is configured to accept traffic only from IP addresses within specific target countries. The activity also exemplifies how sophisticated threat actors weaponize legitimate, trusted infrastructure to execute targeted attacks while remaining operational clandestinely.
Researchers have noted that Amaranth-Dragon's links to APT41 stem from overlaps in malware arsenal, alluding to a possible connection or shared resources between the two clusters. It is worth noting that Chinese threat actors are known for sharing tools, techniques, and infrastructure.
The development style of Amaranth-Dragon's malware closely mirrors established APT41 practices, including creating new threads within export functions to execute malicious code. Compilation timestamps, campaign timing, and infrastructure management all point to a disciplined, well-resourced team operating in the UTC+8 (China Standard Time) zone.
Taken together, these technical and operational overlaps strongly suggest that Amaranth-Dragon is closely linked to, or part of, the APT41 ecosystem, continuing established patterns of targeting and tool development in the region.
In conclusion, the recent discovery of the Amaranth-Dragon campaign highlights the sophisticated tactics employed by Chinese threat actors in their cyber espionage efforts. The use of legitimate infrastructure and tailored lures has allowed them to maintain a high degree of stealth and increase the likelihood that their targets would engage with the malicious content.
As geopolitical developments unfold, entities operating in diplomatic, governmental, and policy-oriented sectors should regard malicious LNK distribution methods and DLL search-order hijacking via legitimate executables as persistent, high-priority threats rather than isolated or fleeting tactics.
It is essential for organizations to remain vigilant and implement robust security measures to protect themselves against these types of attacks. Regularly updating software, implementing strict access controls, and conducting regular security audits can help minimize the risk of successful exploitation.
Furthermore, it is crucial for governments and law enforcement agencies to work together to share intelligence and best practices in combating these types of threats. By doing so, they can better equip themselves to respond to and mitigate the impact of these sophisticated cyber espionage campaigns.
Related Information:
https://www.ethicalhackingnews.com/articles/Amaranth-Dragon-A-Sophisticated-Chinese-Cyber-Espionage-Campaign-Targeting-Southeast-Asia-ehn.shtml
https://thehackernews.com/2026/02/china-linked-amaranth-dragon-exploits.html
https://www.bleepingcomputer.com/news/security/new-amaranth-dragon-cyberespionage-group-exploits-winrar-flaw/
https://nvd.nist.gov/vuln/detail/CVE-2025-8088
https://www.cvedetails.com/cve/CVE-2025-8088/
https://attack.mitre.org/groups/G0096/
https://www.fbi.gov/wanted/cyber/apt-41-group
Published: Wed Feb 4 09:17:43 2026 by llama3.2 3B Q4_K_M
