China-linked threat actors are believed to be involved in new cyber espionage operations targeting governments and law enforcement agencies across Southeast Asia throughout 2025.
Check Point Research is tracking a previously undocumented cluster of activity under the name “Amaranth-Dragon,” which it says shares a connection with the APT 41 ecosystem. Target countries include Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines.
“Many of the campaigns were timed to sensitive local political developments, official government decisions, and regional security-related events,” the cybersecurity firm said in a report shared with Hacker News. “By anchoring their malicious activity in a familiar and timely context, the attackers significantly increased the likelihood that their targets would engage with their content.”
The Israeli company added that the attack was “focused” and “narrow in scope,” indicating an effort on the part of the attackers to establish long-term persistence for geopolitical intelligence gathering.
The most notable aspect of the attackers’ modus operandi is their high degree of stealth, with campaigns “highly controlled” and attack infrastructure configured to only interact with victims in specific target countries to minimize exposure.
An attack chain launched by an adversary was found to exploit CVE-2025-8088. CVE-2025-8088 is a security flaw affecting RARLAB WinRAR that is currently patched and could potentially lead to arbitrary code execution when a specially crafted archive is opened by a target. Exploitation of this vulnerability was observed approximately eight days after it was made public in August.
“The group distributed malicious RAR files that exploited the CVE-2025-8088 vulnerability, allowed arbitrary code execution, and maintained persistence on compromised machines,” Check Point researchers said. “The speed and reliability with which this vulnerability was operationalized highlights the group’s technological maturity and preparedness.”
Although the exact initial access route is unknown at this stage, the highly targeted nature of the campaign, coupled with the use of specific lures related to political, economic, or military developments in the region, suggests that spear phishing emails are being used to distribute archive files hosted on well-known cloud platforms such as Dropbox to reduce suspicion and evade traditional perimeter defenses.
This archive contains multiple files containing a malicious DLL named Amaranth Loader that is launched by DLL sideloading, another long-time favorite tactic among Chinese threat actors. This loader shares similarities with tools previously identified as being used by the APt41 hacking team, including DodgeBox, DUSTPAN (also known as StealthVector), and DUSTTRAP.
When executed, the loader is designed to connect to an external server to obtain an encryption key, which it then uses to decrypt an encrypted payload obtained from another URL and execute it directly in memory. The final payload deployed as part of the attack is an open-source command and control (C2 or C&C) framework known as Havoc.
In contrast, the early stages of the campaign detected in March 2025 leveraged ZIP files containing Windows shortcuts (LNK) and batch (BAT) to decrypt and run Amaranth Loader using DLL sideloading. A similar attack sequence was also observed in a campaign in late October 2025 using lures associated with the Philippine Coast Guard.
In another campaign targeting Indonesia in early September 2025, the attackers chose to distribute password-protected RAR archives from Dropbox to deliver a fully functional remote access Trojan (RAT) codenamed TGamaranth RAT instead of Amaranth Loader, which leverages a hardcoded Telegram bot for C2.
In addition to implementing anti-debugging and anti-virus techniques to combat analysis and detection, the RAT supports the following commands:
/start, sends a list of running processes from the infected machine to the bot. /screenshot, capture and upload a screenshot. /shell, executes the specified command on the infected machine and extracts the output. /download, downloads the specified file from the infected machine. /upload, uploads files to the infected machine.
Additionally, the C2 infrastructure is secured by Cloudflare and configured to only accept traffic from IP addresses within the specific country targeted for each operation. This activity also demonstrates how sophisticated threat actors can weaponize legitimate and trusted infrastructure to carry out targeted attacks while continuing to operate covertly.
The relationship between Amaranth-Dragon and APT41 stems from an overlap in their malware arsenals, suggesting a possible connection or shared resources between the two clusters. It’s worth noting that Chinese threat actors are known for sharing tools, technology, and infrastructure.
“Additionally, the development style, including creating new threads to execute malicious code within export functions, closely mirrors established APT41 practices,” Check Point said.
“Compilation timestamps, campaign timing, and infrastructure management all point to a disciplined and well-resourced team operating in the UTC+8 (China Standard Time) zone. Taken together, these technical and operational overlaps strongly suggest that Amaranth-Dragon is closely associated with or part of the APT41 ecosystem and continues the pattern of targeting and tool development established in this region.”
Mustang Panda offers PlugX variant in new campaign
The disclosure comes as Tel Aviv-based cybersecurity firm Dream Research Lab revealed details of a campaign organized by another Chinese nation-state group tracked as Mustang Panda that targeted diplomatic, electoral, and international coordination officials in multiple regions from December 2025 to mid-January 2026. This activity was assigned the name “PlugX Diplomacy”.
“The operation relied on impersonation and trust rather than exploiting software vulnerabilities,” the company said. “The victims were induced to open files that appeared to be U.S.-related diplomatic summaries or policy documents. Opening the files was enough to cause the breach.”
The document paves the way for the deployment of customized variants of PlugX, a long-standing malware used by hacking groups to covertly collect data and gain persistent access to compromised hosts. The variant, called DOPLUGS, has been detected in the wild since at least late December 2022.
The attack chain is fairly consistent in that malicious ZIP attachments centered around official meetings, elections, and international forums act as catalysts to detonate multi-state processes. There is a single LNK file inside the compressed file that, when launched, triggers the execution of PowerShell commands that extract and drop the TAR archive.
“The embedded PowerShell logic recursively searches the ZIP archive, reads it as raw bytes, and extracts the payload starting at a fixed byte offset,” Dream explained. “The carved data is written to disk using an obfuscated call to the WriteAllBytes method. The extracted data is treated as a TAR archive and unpacked using the native tar.exe utility, demonstrating the consistent use of resident binaries (LOLBins) throughout the infection chain.”
The TAR archive contains three files.
The legitimate signed executable file associated with AOMEI Backupper is vulnerable to DLL search order hijacking (‘RemoveBackupper.exe’) Encrypted file containing PlugX payload (‘backupper.dat’) Malicious DLL sideloaded using executable file (‘comn.dll’) to load PlugX
When the legitimate executable is run, a decoy PDF document is displayed to the user while DOPLUGS is installed on the host in the background, giving the victim the impression that nothing is wrong.
“The correlation between actual diplomatic events and the timing of detected decoys suggests that similar operations are likely to continue as geopolitical developments progress,” Dream concluded.
“Thus, organizations operating in diplomatic, government, and policy-oriented fields should consider malicious LNK distribution methods and DLL search order hijacking via legitimate executables to be a persistent, high-priority threat rather than an isolated, temporary tactic.”
Source link
