Cybersecurity researchers have uncovered a series of highly targeted espionage campaigns linked to Chinese threat actors that focused on government and law enforcement agencies across Southeast Asia throughout 2025, using a recently patched WinRAR vulnerability to deploy advanced malware while maintaining a strong level of operational stealth.
The activity cluster, tracked by Check Point Research under the name Amaranth Dragon, is believed to share technical and operational connections with the well known APT41 ecosystem. According to investigators, victims were identified in Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines, with many of the attacks carefully timed around politically sensitive moments, government decisions, and regional security developments. By aligning malicious content with real world events, the attackers increased the likelihood that targets would open infected files. The campaigns were described as narrowly focused and tightly controlled, with infrastructure configured to interact only with victims in specific countries, significantly reducing exposure and improving long term persistence for intelligence collection.
At the center of the attack chain was exploitation of CVE 2025 8088, a security flaw in RARLAB WinRAR that allowed arbitrary code execution when victims opened specially crafted archive files. Researchers observed the vulnerability being weaponized within days of its public disclosure in August 2025, highlighting the group’s technical readiness. The malicious RAR files were often delivered through highly tailored spear phishing emails and hosted on trusted cloud platforms such as Dropbox to bypass security filters. Once opened, the archive launched a malicious DLL called Amaranth Loader using DLL side loading, a technique long associated with Chinese threat actors. The loader contacted an external server to retrieve an encryption key, decrypted a secondary payload in memory, and executed the open source Havoc command and control framework, enabling attackers to maintain remote access and conduct surveillance activities without leaving obvious traces on disk.
Earlier versions of the campaign in March 2025 relied on ZIP files containing Windows shortcut and batch files to launch the loader, while later operations introduced variations tied to regional events, including lures related to the Philippines Coast Guard. In a separate operation targeting Indonesia in September 2025, the attackers shifted tactics by delivering a password protected RAR archive that installed a custom remote access trojan dubbed TGAmaranth RAT. Unlike the loader based approach, this malware connected to a hard coded Telegram bot for command and control and included features such as process monitoring, screenshot capture, command execution, and file transfer. The RAT also incorporated anti debugging and anti antivirus measures to hinder detection. Across all operations, the command and control infrastructure was protected behind Cloudflare and configured to accept traffic only from IP ranges within targeted countries, further demonstrating the group’s disciplined operational security.
Researchers pointed to overlapping malware design, development style, and infrastructure management techniques as strong indicators linking Amaranth Dragon to APT41, noting similarities with previously known tools such as DodgeBox, DUSTPAN, and DUSTTRAP. Compilation timestamps and campaign coordination patterns also suggested operations aligned with China Standard Time, reinforcing attribution assessments. At the same time, a separate report from Dream Research Labs detailed another Chinese linked campaign attributed to Mustang Panda, which targeted diplomatic and policy focused officials between December 2025 and January 2026 using impersonation themed lures rather than software vulnerabilities. Victims received ZIP attachments posing as diplomatic documents that triggered a multi stage infection chain leveraging Windows shortcuts, PowerShell scripts, and DLL search order hijacking to deploy a customized PlugX variant known as DOPLUGS, while displaying decoy documents to avoid suspicion. Analysts warned that the consistent alignment of attack timing with geopolitical events indicates that such operations are likely to continue, with government and diplomatic entities remaining high priority targets for sophisticated cyber espionage groups.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
