Full Report
Threat actors affiliated with China have been attributed to a fresh set of cyber espionage campaigns targeting government and law enforcement agencies across Southeast Asia throughout 2025. Check Point Research is tracking the previously undocumented activity cluster under the moniker Amaranth-Dragon, which it said shares links to the APT 41 ecosystem. Targeted countries include Cambodia,
Analysis Summary
# Threat Actor: Amaranth-Dragon
## Attribution & Identity
* **Primary Attribution:** Threat actors affiliated with China.
* **Tracking Moniker:** Amaranth-Dragon (Previously undocumented cluster tracked by Check Point Research).
* **Associated Groups:** Shares links to the APT 41 ecosystem.
## Activity Summary
* **Recent Campaigns:** Fresh set of cyber espionage campaigns conducted throughout 2025.
* **Timing:** Campaigns were frequently timed to coincide with sensitive local political developments, official government decisions, or regional security events in Southeast Asia.
* **Scope:** Attacks were "narrowly focused" and "tightly scoped," aimed at establishing long-term persistence for geopolitical intelligence collection.
## Tactics, Techniques & Procedures
* **Initial Access/Delivery:** Abuse of **CVE-2025-8088** (WinRAR arbitrary code execution vulnerability) via specially crafted archives. Exploitation was observed approximately eight days after public disclosure in August 2025.
* **Lures:** Use of tailored lures related to political, economic, or military developments, suggesting spear-phishing emails distributing archives hosted on cloud platforms (e.g., Dropbox).
* **Persistence/Execution (Primary Chain):** DLL side-loading using a malicious DLL named **Amaranth Loader**.
* **Persistence/Execution (March 2025):** Use of ZIP files containing Windows shortcuts (LNK) and batch (BAT) files to initiate execution and DLL side-loading.
* **Payload Delivery:** The loader contacts an external server for an encryption key to decrypt a payload retrieved from a different URL and execute it directly in memory.
* **Final Payload:** Deployment of the open-source C2 framework **Havoc**.
* **Alternative Execution (Sept 2025):** Use of password-protected RAR archives from Dropbox to deliver **TGAmaranth RAT** directly, bypassing Amaranth Loader.
* **Defense Evasion:** Implementing anti-debugging and anti-antivirus techniques.
* **General TTPs:** DLL side-loading is noted as a long-preferred tactic among Chinese threat actors, sharing similarities with tools used by APT41 (e.g., DodgeBox, DUSTPAN/StealthVector, DUSTTRAP).
## Targeting
* **Sectors:** Government and Law Enforcement agencies.
* **Geography:** Southeast Asia.
* **Countries:** Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines.
* **Victims:** Specific mention of campaigns involving lures related to the Philippines Coast Guard (October 2025).
## Tools & Infrastructure
* **Malware Families Used:**
* Amaranth Loader (DLL used for side-loading).
* TGAmaranth RAT (used in some campaigns, leverages hard-coded Telegram bot for C2).
* Havoc (C2 framework used as the final payload in some chains).
* **Infrastructure:**
* Used well-known cloud platforms like Dropbox to host malicious archives during initial distribution.
* Attack infrastructure configured for highly controlled access, designed to interact only with victims in specific target countries to minimize exposure.
* TGAmaranth RAT utilizes a hard-coded **Telegram bot** for C2 communication.
## Implications
Amaranth-Dragon represents a technically mature and prepared Chinese state-sponsored entity focused intensely on long-term geopolitical intelligence gathering within Southeast Asia. Their rapid adoption of a recently disclosed zero-day vulnerability (CVE-2025-8088) highlights their operational efficiency. The high degree of stealth and geography-restricted infrastructure suggest a determined effort to maintain sleeper presence without broad detection.
## Mitigations
* **Patch Management:** Immediate patching of systems against the vulnerability exploited, **CVE-2025-8088**, impacting WinRAR versions.
* **Email Security:** Enhanced scrutiny of spear-phishing attempts, especially those involving archives (RAR, ZIP) delivered via cloud storage links (Dropbox) containing lures related to regional politics or security.
* **Behavioral Monitoring:** Monitor for evidence of DLL Side-Loading (Amaranth Loader) and execution chains involving custom loaders retrieving secondary payloads in memory.
* **Network Monitoring:** Monitor for outbound traffic communicating with Havoc C2 frameworks or activity involving suspected Telegram bot communications associated with RAT command execution.