China-Linked Cyber Espionage Campaigns Target Southeast Asia
Threat actors linked to China have been identified as orchestrating a series of cyber espionage campaigns aimed at government and law enforcement agencies across Southeast Asia in 2025. The campaigns, collectively known as Amaranth-Dragon, share connections with the APT 41 ecosystem. The targeted countries include Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines.
The cybersecurity firm Check Point Research revealed that these campaigns were strategically timed to coincide with significant local political events, government decisions, or regional security incidents. By integrating malicious activities into familiar, timely contexts, the attackers increased the likelihood of their targets engaging with the content.
The attacks were highly focused and narrowly scoped, indicating the threat actors' intention to establish long-term persistence for geopolitical intelligence collection. The campaigns showcased a high level of stealth, with the attack infrastructure configured to interact exclusively with victims in specific target countries, minimizing exposure.
The adversaries exploited a security flaw in RARLAB WinRAR, CVE-2025-8088, which allows arbitrary code execution when specially crafted archives are opened by targets. This vulnerability was actively exploited about eight days after its public disclosure in August. The attackers distributed a malicious RAR file that exploited this flaw, enabling the execution of arbitrary code and maintaining persistence on compromised machines.
The initial access vector remains unknown, but the campaigns' highly targeted nature and the use of tailored lures related to political, economic, or military developments in the region suggest the use of spear-phishing emails to distribute archive files hosted on well-known cloud platforms like Dropbox, reducing suspicion and bypassing traditional perimeter defenses.
The archive contained a malicious DLL named Amaranth Loader, which was launched using DLL side-loading, a tactic previously associated with Chinese threat actors. The loader shares similarities with tools like DodgeBox, DUSTPAN, and DUSTTRAP, all linked to the APT41 hacking crew.
Once executed, the loader contacted an external server to retrieve an encryption key, which decrypted and executed a payload directly in memory. The final payload deployed was the open-source command-and-control framework, Havoc.
Earlier campaign iterations in March 2025 used ZIP files with Windows shortcuts and batch scripts to decrypt and execute the Amaranth Loader. A similar attack sequence was observed in a late October 2025 campaign targeting the Philippines Coast Guard.
In another campaign targeting Indonesia in September 2025, the threat actors distributed a password-protected RAR archive from Dropbox, delivering a fully functional remote access trojan (RAT) named TGAmaranth RAT, which used a hard-coded Telegram bot for C2.
The RAT supported various commands, including sending process lists, capturing screenshots, executing commands, downloading files, and uploading files. The C2 infrastructure was secured by Cloudflare and restricted to IP addresses within the targeted countries, showcasing the sophistication of the threat actors.
The connection between Amaranth-Dragon and APT41 is evident through overlapping malware arsenals, suggesting a possible link or shared resources. Chinese threat actors are known for sharing tools, techniques, and infrastructure, and the development style closely mirrors APT41 practices.
Mustang Panda, another Chinese nation-state group, has been identified in a separate campaign, PlugX Diplomacy, targeting officials in diplomacy, elections, and international coordination across multiple regions between December 2025 and January 2026. The operation relied on impersonation and trust, luring victims into opening files that appeared to be U.S.-linked diplomatic summaries or policy documents, triggering the deployment of a customized variant of PlugX, DOPLUGS, for data harvesting and persistent access.
