Threat actors affiliated with China have been attributed to a fresh set of cyber espionage campaigns targeting government and law enforcement agencies across Southeast Asia throughout 2025.
Check Point Research is tracking the previously undocumented activity cluster under the moniker Amaranth-Dragon, which it said shares links to the APT 41 ecosystem. Targeted countries include Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines.
“Many of the campaigns were timed to coincide with sensitive local political developments, official government decisions, or regional security events,” the cybersecurity company said in a report shared with The Hacker News. “By anchoring malicious activity in familiar, timely contexts, the attackers significantly increased the likelihood that targets would engage with the content.”
The Israeli firm added that the attacks were “narrowly focused” and “tightly scoped,” indicating efforts on the part of the threat actors to establish long-term persistence for geopolitical intelligence collection.
The most notable aspect of threat actors’ tradecraft is the high degree of stealth, with the campaigns “highly controlled” and the attack infrastructure configured such that it can interact only with victims in specific target countries in an attempt to minimize exposure.
Attack chains mounted by the adversary have been found to abuse CVE-2025-8088, a now-patched security flaw impacting RARLAB WinRAR that allows for arbitrary code execution when specially crafted archives are opened by targets. The exploitation of the vulnerability was observed about eight days after its public disclosure in August.
“”The group distributed a malicious RAR file that exploits the CVE-2025-8088 vulnerability, allowing the execution of arbitrary code and maintaining persistence on the compromised machine,” Check Point researchers noted. “The speed and confidence with which this vulnerability was operationalized underscores the group’s technical maturity and preparedness.”
Although the exact initial access vector remains unknown at this stage, the highly targeted nature of the campaigns, coupled with the use of tailored lures related to political, economic, or military developments in the region, suggests the use of spear-phishing emails to distribute the archive files hosted on well-known cloud platforms like Dropbox to lower suspicion and bypass traditional perimeter defenses.
The archive contains several files, including a malicious DLL named Amaranth Loader that’s launched by means of DLL side-loading, another long-preferred tactic among Chinese threat actors. The loader shares similarities with tools such as DodgeBox, DUSTPAN (aka StealthVector), and DUSTTRAP, which have been previously identified as used by the APt41 hacking crew.
Once executed, the loader is designed to contact an external server to retrieve an encryption key, which is then used to decrypt an encrypted payload retrieved from a different URL and execute it directly in memory. The final payload deployed as part of the attack is the open-source command-and-control (C2 or C&C) framework known as Havoc.
In contrast, early iterations of the campaign detected in March 2025 made use of ZIP files containing Windows shortcuts (LNK) and batch (BAT) to decrypt and execute the Amaranth Loader using DLL side-loading. A similar attack sequence was also identified in a late October 2025 campaign using lures related to the Philippines Coast Guard.
In another campaign targeting Indonesia in early September 2025, the threat actors opted to distribute a password-protected RAR archive from Dropbox so as to deliver a fully functional remote access trojan (RAT) codenamed TGAmaranth RAT instead of Amaranth Loader that leverages a hard-coded Telegram bot for C2.
Besides implementing anti-debugging and anti-antivirus techniques to resist analysis and detection, the RAT supports the following commands –
- /start, to send a list of running processes from the infected machine to the bot
- /screenshot, to capture and upload a screenshot
- /shell, to execute a specified command on the infected machine and exfiltrate the output
- /download, to download a specified file from the infected machine
- /upload, to upload a file to the infected machine
What’s more, the C2 infrastructure is secured by Cloudflare and is configured to accept traffic only from IP addresses within the specific country or countries targeted in each operation. The activity also exemplifies how sophisticated threat actors weaponize legitimate, trusted infrastructure to execute targeted attacks while remaining operational clandestinely.
Amaranth-Dragon’s links to APT41 stem from overlaps in malware arsenal, alluding to a possible connection or shared resources between the two clusters. It’s worth noting that Chinese threat actors are known for sharing tools, techniques, and infrastructure.
“In addition, the development style, such as creating new threads within export functions to execute malicious code, closely mirrors established APT41 practices,” Check Point said.
“Compilation timestamps, campaign timing, and infrastructure management all point to a disciplined, well-resourced team operating in the UTC+8 (China Standard Time) zone. Taken together, these technical and operational overlaps strongly suggest that Amaranth-Dragon is closely linked to, or part of, the APT41 ecosystem, continuing established patterns of targeting and tool development in the region.”
Mustang Panda Delivers PlugX Variant in New Campaign
The disclosure comes as Tel Aviv-based cybersecurity company Dream Research Labs detailed a campaign orchestrated by another Chinese nation-state group tracked as Mustang Panda that has targeted officials involved in diplomacy, elections, and international coordination across multiple regions between December 2025 and mid-January 2026. The activity has been assigned the name PlugX Diplomacy.
“Rather than exploiting software vulnerabilities, the operation relied on impersonation and trust,” the company said. “Victims were lured into opening files that appeared to be U.S.-linked diplomatic summaries or policy documents. Opening the file alone was sufficient to trigger the compromise.”
The documents pave the way for the deployment of a customized variant of PlugX, a long-standing malware put to use by the hacking group to covertly harvest data and enable persistent access to compromised hosts. The variant, called DOPLUGS, has been detected in the wild since at least late December 2022.
The attack chains are fairly consistent in that malicious ZIP attachments centred around official meetings, elections, and international forums act as a catalyst for detonating a multi-state process. Present within the compressed file is a single LNK file that, when launched, triggers the execution of a PowerShell command that extracts and drops a TAR archive.
“The embedded PowerShell logic recursively searches for the ZIP archive, reads it as raw bytes, and extracts a payload beginning at a fixed byte offset,” Dream explained. “The carved data is written to disk using an obfuscated invocation of the WriteAllBytes method. The extracted data is treated as a TAR archive and unpacked using the native tar.exe utility, demonstrating consistent use of living-off-the-land binaries (LOLBins) throughout the infection chain.”
The TAR archive contains three files –
- A legitimate signed executable associated with AOMEI Backupper is vulnerable to DLL search-order hijacking (“RemoveBackupper.exe”)
- An encrypted file that contains the PlugX payload (“backupper.dat”)
- A malicious DLL that’s sideloaded using the executable (“comn.dll”) to load PlugX
The execution of the legitimate executable displays a decoy PDF document to the user to give the impression to the victim that nothing is amiss, when, in the background, DOPLUGS is installed on the host.
“The correlation between actual diplomatic events and the timing of detected lures suggests that analogous campaigns are likely to persist as geopolitical developments unfold,” Dream concluded.
“Entities operating in diplomatic, governmental, and policy-oriented sectors should consequently regard malicious LNK distribution methods and DLL search-order hijacking via legitimate executables as persistent, high-priority threats rather than isolated or fleeting tactics.”
