Security researchers at Check Point Research have attributed a series of cyber espionage campaigns targeting Southeast Asian governments to a previously undocumented threat cluster called Amaranth-Dragon. The group shares significant links with the APT41 ecosystem and has been exploiting a WinRAR vulnerability (CVE-2025-8088) since shortly after its public disclosure.
Campaign overview
| Attribute | Details |
|---|---|
| Threat actor | Amaranth-Dragon |
| Attribution | China-linked (APT41 ecosystem) |
| Activity period | Throughout 2025, ongoing into 2026 |
| Primary targets | Government, law enforcement |
| Target regions | Cambodia, Thailand, Laos, Indonesia, Singapore, Philippines |
| Exploit used | CVE-2025-8088 (WinRAR path traversal) |
| Payload | Havoc Framework |
| Discovery | Check Point Research |
Targeted countries
| Country | Sectors targeted |
|---|---|
| Cambodia | Government |
| Thailand | Government, law enforcement |
| Laos | Government |
| Indonesia | Government |
| Singapore | Government |
| Philippines | Government, law enforcement |
CVE-2025-8088: WinRAR path traversal
The attackers weaponized a WinRAR vulnerability disclosed in August 2025:
| Attribute | Value |
|---|---|
| CVE | CVE-2025-8088 |
| Disclosure date | August 8, 2025 |
| Type | Path traversal |
| Impact | Arbitrary code execution |
| Platform | Windows |
| Exploitation method | Malicious RAR file drops executable to Startup folder |
Exploitation timeline
| Date | Event |
|---|---|
| August 8, 2025 | CVE-2025-8088 publicly disclosed |
| August 14, 2025 | Public exploit tool released on GitHub |
| August 18, 2025 | Amaranth-Dragon first observed using the exploit |
The attackers weaponized the vulnerability within 10 days of its disclosure and just 4 days after a public exploit tool became available.
How the exploit works
| Step | Action |
|---|---|
| 1 | Victim receives malicious RAR archive |
| 2 | Archive crafted with path traversal payload |
| 3 | Upon extraction, file dropped to Windows Startup folder |
| 4 | Malicious file executes automatically on system reboot |
| 5 | DLL sideloading initiates infection chain |
By dropping files into the Startup folder, attackers achieve indirect code execution without requiring the victim to explicitly run a malicious executable.
Attack methodology
Social engineering lures
Amaranth-Dragon crafted highly targeted lures timed to coincide with significant local events:
| Lure type | Purpose |
|---|---|
| Political developments | Exploit current events for credibility |
| Government decisions | Target officials following specific announcements |
| Regional security events | Appeal to defense and security personnel |
“Many of the campaigns were timed to coincide with sensitive local political developments, official government decisions, or regional security events,” increasing the likelihood that targets would engage with the content.
Operational discipline
| Pattern | Implementation |
|---|---|
| Narrow targeting | One or two countries per operation |
| Custom lures | Localized content for each target |
| No mass distribution | Individual targeting over spray-and-pray |
| Event timing | Campaigns aligned with news cycles |
Technical analysis
Amaranth Loader
The primary tool, dubbed Amaranth Loader, is a malicious DLL delivered via DLL sideloading:
| Characteristic | Details |
|---|---|
| Delivery | DLL sideloading |
| Encryption | AES-encrypted payload |
| Execution | In-memory decryption and execution |
| Final payload | Havoc Framework implant |
Similarities to APT41 tooling
Check Point identified significant overlaps with established APT41 tools:
| Tool | Connection |
|---|---|
| DodgeBox | Similar loading techniques |
| DUSTPAN (StealthVector) | Code structure similarities |
| DUSTTRAP | Development patterns |
Development patterns
| Evidence | Implication |
|---|---|
| Thread creation in export functions | Matches APT41 coding style |
| Compilation timestamps | UTC+8 timezone (China Standard Time) |
| Campaign timing | Consistent with working hours in CST |
| Infrastructure management | Professional, disciplined approach |
Check Point noted: “The development style, such as creating new threads within export functions to execute malicious code, closely mirrors established APT41 practices.”
Havoc Framework
The final payload is the Havoc Framework, an open-source command-and-control platform:
| Attribute | Details |
|---|---|
| Type | Open-source C2 framework |
| Language | C/C++ |
| Capabilities | Full remote access |
| Evasion | Designed for red team operations |
Havoc capabilities
| Capability | Description |
|---|---|
| Command execution | Run arbitrary commands |
| File operations | Upload, download, modify files |
| Process management | List, spawn, terminate processes |
| Credential access | Dump credentials |
| Lateral movement | Pivot to other systems |
| Persistence | Maintain access |
Using an open-source framework provides attackers with deniability—the same tool is used by legitimate penetration testers and other threat actors.
APT41 connection
Amaranth-Dragon’s links to APT41 stem from multiple factors:
| Evidence type | Details |
|---|---|
| Malware arsenal | Overlapping tools and techniques |
| Development style | Consistent coding patterns |
| Infrastructure management | Similar operational practices |
| Targeting | Aligned with Chinese strategic interests |
APT41 background
| Attribute | Details |
|---|---|
| Also known as | Winnti, Wicked Panda, BARIUM, Double Dragon |
| Attribution | Chinese state-sponsored + financially motivated |
| Active since | At least 2012 |
| Dual mission | Espionage and cybercrime |
APT41 is notable for conducting both state-sponsored espionage and financially motivated cybercrime—sometimes simultaneously. The group has targeted healthcare, telecom, technology, gaming, and government sectors globally.
Shared resources
Check Point noted: “It’s worth noting that Chinese threat actors are known for sharing tools, techniques, and infrastructure.” This sharing makes attribution challenging but also reveals connections between seemingly distinct operations.
Indicators of compromise
Network indicators
Amaranth-Dragon infrastructure details are available in Check Point’s technical report. Organizations in targeted regions should review the full IOC list.
Behavioral indicators
- RAR files extracting executables to Startup folder
- DLL sideloading from user directories
- Havoc Framework C2 communication patterns
- AES-encrypted payloads in memory
Detection opportunities
| Indicator | Detection method |
|---|---|
| Path traversal in RAR extraction | File integrity monitoring |
| Startup folder modifications | Windows event logs |
| DLL sideloading | Process monitoring |
| Havoc C2 traffic | Network detection signatures |
Recommendations
For organizations in targeted regions
| Priority | Action |
|---|---|
| Critical | Update WinRAR to latest version |
| Critical | Monitor for CVE-2025-8088 exploitation attempts |
| High | Review Startup folder for unexpected executables |
| High | Deploy detection for Amaranth Loader and Havoc |
| High | Brief staff on current social engineering themes |
| Medium | Coordinate with national CERTs on threat intelligence |
For all organizations
| Priority | Action |
|---|---|
| High | Ensure WinRAR is updated across all endpoints |
| High | Consider application control for archive extraction |
| Medium | Monitor for DLL sideloading techniques |
| Ongoing | Track Chinese APT activity relevant to your sector |
Patch verification
| WinRAR version | Status |
|---|---|
| < 6.23 | Vulnerable |
| 6.23+ | Patched |
Regional context
Southeast Asia represents a consistent target for Chinese cyber espionage:
| Factor | Significance |
|---|---|
| South China Sea tensions | Maritime and territorial disputes |
| ASEAN political dynamics | Regional influence competition |
| Infrastructure projects | Belt and Road Initiative |
| Technology access | Telecommunications, critical infrastructure |
| Government intelligence | Policy insights |
Amaranth-Dragon’s focus on government and law enforcement agencies aligns with intelligence collection supporting Chinese regional interests.
Context
Amaranth-Dragon demonstrates the continued evolution of Chinese-linked threat actors targeting Southeast Asia. The group’s rapid exploitation of CVE-2025-8088—within 10 days of disclosure—shows sophisticated vulnerability monitoring and rapid weaponization capabilities.
| Pattern | Amaranth-Dragon |
|---|---|
| Vulnerability exploitation | Rapid weaponization |
| Targeting | Highly selective, event-driven |
| Tools | Mix of custom and open-source |
| Operations | Disciplined, professional |
| Attribution links | APT41 ecosystem |
The campaign’s operational discipline—narrow targeting, customized lures, and timing aligned with local events—indicates a well-resourced team with regional expertise and specific intelligence requirements.
Organizations in Southeast Asia, particularly government and law enforcement agencies, should assume they are targets for Chinese cyber espionage and implement appropriate detection and defense capabilities.