Full Report
Key Points Introduction Check Point Research has identified several campaigns targeting multiple countries in the Southeast Asian region. These related activities have been collectively categorized under the codename “Amaranth-Dragon”. The campaigns demonstrate a clear focus on government entities across the region, suggesting a motivated threat actor with a strong interest in geopolitical intelligence. The campaigns […] The post Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in the Southeast Asia appeared first on Check Point Research.
Analysis Summary
# Threat Actor: Amaranth-Dragon
## Attribution & Identity
* **Primary Name:** Amaranth-Dragon
* **Known Aliases/Associations:** Tracked as a nexus of **APT-41**, previously aligned with Chinese interests. Shares similarities in arsenal and tools (e.g., Amaranth Loader overlaps with tools associated with APT-41 like DodgeBox, Dustpan, and Dusttrap).
* **Operational Timeline/Timezone:** Operates in **UTC+8 (China Standard Time)**.
## Activity Summary
Amaranth-Dragon launched highly targeted cyber-espionage campaigns throughout 2025. These campaigns show a clear focus on gathering geopolitical intelligence, frequently coinciding themes and lure documents with significant local geopolitical events in the targeted region. The actor demonstrated rapid exploitation of recently disclosed vulnerabilities.
## Tactics, Techniques & Procedures
* **Initial Access/Exploitation:** Rapidly weaponized the WinRAR remote code execution vulnerability, **CVE-2025-8088**, deploying malicious RAR archives less than ten days after disclosure.
* **Execution/Persistence:** Utilized a custom loader named **Amaranth Loader** to deliver encrypted payloads, decrypting them via **AES** execution directly in memory.
* **Delivery:** Used legitimate hosting services, specifically **Dropbox**, to host tools or components.
* **C2/Post-Exploitation:** Primarily deployed the **Havoc C2 Framework**.
* **New Tooling:** Deployed a new Telegram-based Remote Access Trojan called **TGAmaranth RAT**, which includes **anti-EDR** and **anti-AV** capabilities.
* **Operational Security:** Command and control servers were protected by **Cloudflare** and configured to respond *only* to IP addresses originating from the targeted countries, enhancing stealth.
* **Observed TTPs (Inferred from Frameworks):**
* Ingress Tool Transfer (T1105) - Downloading additional payloads (e.g., Havoc Framework).
* System Information Discovery (T1082).
* Input Capture (T1056) - Potential keystroke logging.
* Exfiltration Over C2 Channel (T1041).
## Targeting
* **Sectors:** Government entities, Law Enforcement Agencies (specifically the police).
* **Geography:** Multiple countries in the **Southeast Asian region**.
* **Victims:** Government and law enforcement agencies.
## Tools & Infrastructure
* **Malware Families/Loaders:** Amaranth Loader (custom), Havoc Framework (C2 agent), TGAmaranth RAT (Telegram-based RAT).
* **Infrastructure (C2):**
* Command and Control protected by **Cloudflare**.
* C2 configured to geo-fence responses, only replying to IPs from specific targeted countries.
* C2 utilized a **Telegram bot** for the TGAmaranth RAT.
* **Delivery/Staging:** Dropbox.
## Implications
Amaranth-Dragon represents a highly motivated, state-sponsored actor focused on strategic geopolitical intelligence collection within Southeast Asia. Their ability to rapidly pivot to exploit zero-day or newly disclosed vulnerabilities (like CVE-2025-8088) combined with strong operational security (geo-fenced C2, use of legitimate hosting) makes them a persistent and stealthy threat to regional government stability and security organizations. The adoption of Telegram as a C2 channel adds a novel layer of evasiveness.
## Mitigations
* Implement immediate patching or mitigation strategies for **CVE-2025-8088** (WinRAR vulnerability).
* Enhance network monitoring to detect traffic attempting to communicate with legitimate cloud services (like Dropbox) being used for malicious staging.
* Focus detection rules on indicators associated with the **Havoc C2 Framework** and suspicious memory injection techniques deployed by Amaranth Loader.
* Implement logging and alerting for anomalous network traffic patterns indicating geo-fencing or C2 beaconing restricted to specific geographical egress points.
* Develop detection signatures for the specific command structure or payloads delivered via **Telegram C2 channels (TGAmaranth RAT)**.