Ethical Hacking News
Amaranth-Dragon, a China-linked cyber threat actor group, has been identified as responsible for a series of highly targeted and stealthy attacks on government and law enforcement agencies across Southeast Asia in 2025. The group's activities are linked to the APT41 ecosystem and exploit a newly disclosed Windows WinRAR path-traversal issue to gain unauthorized access to sensitive information. With its sophisticated tactics and infrastructure, Amaranth-Dragon poses a significant challenge for cybersecurity professionals and policymakers in the region, highlighting the need for robust defense-in-depth strategies and timely vulnerability management.
Amaranth-Dragon is a sophisticated Chinese-linked cyber threat actor group responsible for highly targeted attacks on government and law enforcement agencies in Southeast Asia in 2025.The group's activities are linked to the APT41 ecosystem, known for their sophisticated tactics and infrastructure.Amaranth-Dragon exploited a newly disclosed Windows WinRAR path-traversal issue (CVE-2025-8088) to gain unauthorized access to sensitive information.The attackers used spear-phishing emails with cloud-hosted malicious archives to lure victims into the attack.The group's tools and tactics, including DLL sideloading and a custom loader, demonstrate their technical proficiency and operational discipline.Amaranth-Dragon poses a significant challenge for cybersecurity professionals and policymakers in Southeast Asia, highlighting the need for robust defense-in-depth strategies and timely vulnerability management.
Amaranth-Dragon, a sophisticated Chinese-linked cyber threat actor group, has been identified as responsible for a series of highly targeted and stealthy attacks on government and law enforcement agencies across Southeast Asia in 2025. The group's activities are linked to the APT41 ecosystem, a notorious collective of Chinese hackers known for their sophisticated tactics and infrastructure.
According to a report published by CheckPoint Research, Amaranth-Dragon carried out extensive cyber-espionage campaigns against multiple countries, including Thailand, Indonesia, Singapore, and the Philippines. The attacks were highly targeted and aimed at long-term espionage rather than disruption, with the group limiting its infrastructure to specific countries to avoid detection.
The attackers began exploiting a newly disclosed Windows WinRAR path-traversal issue (CVE-2025-8088) in late August 2025, just days after it was publicly disclosed. The bug allows for arbitrary code execution, making it an attractive target for threat actors seeking to gain unauthorized access to sensitive information.
Victims were likely lured via spear-phishing emails with cloud-hosted malicious archives that triggered a loader using DLL side-loading, a tactic linked to APT41. This allowed the attackers to decrypt and run the Havoc C2 framework entirely in memory, providing them with a high degree of control over the compromised systems.
Earlier campaigns used ZIP files with LNK and BAT scripts, while later ones targeted Indonesia with password-protected RARs delivering a TGAmaranth RAT controlled via a Telegram bot. The RAT supports process listing, screenshots, command execution, and file transfer, making it a formidable tool for espionage and data exfiltration.
CheckPoint Research found strong links between Amaranth-Dragon and APT41, with both groups targeting government and law enforcement agencies in Southeast Asia and using similar tools, including DLL sideloading, shared coding patterns, and UTC+8 operations. This suggests that Amaranth-Dragon is part of the APT-41 ecosystem, working under the direction of its parent group.
The campaigns by Amaranth-Dragon exploiting CVE-2025-8088 highlight the recent trend of sophisticated threat actors rapidly weaponizing newly disclosed vulnerabilities. By leveraging this path-traversal flaw in WinRAR, the group demonstrates its ability to adapt its tactics and infrastructure to maximize impact against highly targeted government and law enforcement organizations across Southeast Asian countries.
The use of geo-restricted C&C servers, custom loaders, and open-source post-exploitation frameworks, such as Havoc, underscores the group's technical proficiency and operational discipline. These attacks serve as a stark reminder of the importance of timely vulnerability management, user awareness, and robust defense-in-depth strategies in protecting against sophisticated cyber threats.
As the threat landscape continues to evolve, it is essential for governments, law enforcement agencies, and organizations across Southeast Asia to remain vigilant and take proactive measures to mitigate the risks posed by Amaranth-Dragon and other sophisticated threat actors. This includes implementing effective security protocols, conducting regular vulnerability assessments, and investing in advanced threat detection and response capabilities.
In conclusion, Amaranth-Dragon represents a significant challenge for cybersecurity professionals and policymakers in Southeast Asia, with its sophisticated tactics and infrastructure highlighting the need for robust defense-in-depth strategies and timely vulnerability management.
Amaranth-Dragon, a China-linked cyber threat actor group, has been identified as responsible for a series of highly targeted and stealthy attacks on government and law enforcement agencies across Southeast Asia in 2025. The group's activities are linked to the APT41 ecosystem and exploit a newly disclosed Windows WinRAR path-traversal issue to gain unauthorized access to sensitive information. With its sophisticated tactics and infrastructure, Amaranth-Dragon poses a significant challenge for cybersecurity professionals and policymakers in the region, highlighting the need for robust defense-in-depth strategies and timely vulnerability management.
Related Information:
https://www.ethicalhackingnews.com/articles/Amaranth-Dragon-The-China-Linked-Cyber-Menace-Targeting-Southeast-Asian-Governments-ehn.shtml
https://securityaffairs.com/187647/apt/china-linked-amaranth-dragon-hackers-target-southeast-asian-governments-in-2025.html
https://thehackernews.com/2026/02/china-linked-amaranth-dragon-exploits.html
https://attack.mitre.org/groups/G0096/
https://www.fbi.gov/wanted/cyber/apt-41-group
Published: Thu Feb 5 04:26:55 2026 by llama3.2 3B Q4_K_M
