Threat actors linked to China have been blamed for a new set of cyber espionage campaigns targeting government and law enforcement agencies in Southeast Asia during 2025.
Check Point Research is tracking a previously undocumented activity cluster under the alias Amaranth-DragonWhich he said shares links with the APT 41 ecosystem. The targeted countries include Cambodia, Thailand, Laos, Indonesia, Singapore and the Philippines.
“Many campaigns were timed to coincide with sensitive local political developments, official government decisions, or regional security events,” the cybersecurity company said in a report shared with The Hacker News. “By promoting malicious activity in familiar, topical contexts, attackers significantly increase the likelihood that targets will engage with the content.”
The Israeli firm said the attacks were “narrowly focused” and “tightly scoped”, indicating efforts on the part of threat actors to establish long-term persistence for geopolitical intelligence collection.
The most notable aspect of the threat actors’ business acumen is the high level of secrecy, with campaigns being “highly controlled” and the attack infrastructure configured such that it can only interact with victims in specific target countries in an effort to minimize risk.
The attack chains deployed by the adversary have been found to exploit CVE-2025-8088, a now-patched security flaw affecting RARLAB WinRAR that allows arbitrary code execution when specially crafted archives are opened by targets. Exploitation of the vulnerability was observed approximately eight days after its public disclosure in August.
“The group distributed a malicious RAR file that exploits the CVE-2025-8088 vulnerability, allowing arbitrary code execution and persistence on the compromised machine,” Check Point researchers said. The speed and confidence with which this vulnerability was addressed underlines the group’s technical maturity and preparedness.
Although the exact initial access vector remains unknown at this stage, the highly targeted nature of the campaigns, along with the use of simulated lures related to political, economic or military developments in the region, suggest the use of spear-phishing emails to deliver archive files hosted on well-known cloud platforms such as Dropbox to reduce suspicion and bypass traditional perimeter security.
The archive contains several files, including a malicious DLL named Amaranth Loader, which is launched via DLL side-loading, another long-time favorite tactic among Chinese threat actors. The loader shares similarities with tools such as Dodgebox, Dustpan (aka StealthVector), and Dusttrap, which have been previously identified as being used by the APt41 hacking crew.
Once executed, the loader is designed to contact an external server to retrieve the encryption key, which is used to decrypt the encrypted payload retrieved from a different URL and execute it directly in memory. The final payload deployed as part of the attack is the open-source command-and-control (C2 or C&C) framework known as Havoc.
In contrast, early iterations of the campaign discovered in March 2025 used ZIP files containing Windows shortcuts (LNK) and batch (BAT) to decrypt and execute the Amaranth Loader using DLL side-loading. A similar attack sequence was also identified in an operation in late October 2025 using lures belonging to the Philippines Coast Guard.
In another campaign targeting Indonesia in early September 2025, threat actors opted to distribute a password-protected RAR archive from Dropbox to deliver a fully functional remote access trojan (RAT) codenamed TGAmaranth RAT, rather than the Amaranth loader that leverages a hard-coded Telegram bot for C2.
In addition to implementing anti-debugging and anti-antivirus techniques to perform conflict analysis and detection, RAT supports the following commands −
- /start, to send a list of running processes from the infected machine to the bot
- /screenshot To capture and upload screenshots
- /shell, to execute a specified command on the infected machine and spit out the output
- /download, to download a specified file from the infected machine
- /upload, to upload a file to the infected machine
Additionally, the C2 infrastructure is secured by Cloudflare and configured to only accept traffic from IP addresses within the specific country or countries targeted in each operation. This activity also exemplifies how sophisticated threat actors weaponize legitimate, trusted infrastructure to carry out targeted attacks while operating covertly.
Amaranth-Dragon’s links to APT41 stem from overlaps in malware arsenals, pointing to possible connections or shared resources between the two groups. It is worth noting that Chinese threat actors are known to share equipment, technology, and infrastructure.
“Additionally, the development style, such as creating new threads within export functions to execute malicious code, closely mirrors established APT41 practices,” Check Point said.
“Compile timestamps, campaign timing, and infrastructure management all point to a disciplined, well-resourced team operating in the UTC+8 (China Standard Time) region. Taken together, these technical and operational overlaps strongly suggest that Amaranth-Dragon is closely linked to, or part of, the APT41 ecosystem, continuing established patterns of targeting and tool development in the region.”
Mustang Panda introduces PlugX variant in new campaign
The revelations came as Tel Aviv-based cybersecurity company Dream Research Labs detailed a campaign run by another Chinese nation-state group called Mustang Panda that has targeted officials involved in diplomacy, elections and international coordination in multiple regions between December 2025 and mid-January 2026. The activity is named PlugX Diplomacy.
“Rather than exploiting software vulnerabilities, the operation relied on impersonation and trust,” the company said. “Victims were lured to open files that appeared to be diplomatic summaries or policy documents involving the US. Opening the file alone was enough to initiate the compromise.”
The documents pave the way for the deployment of a customized version of PlugX, a long-standing malware used by hacking groups to covertly collect data and enable persistent access to compromised hosts. The variant, called DOPLUGS, has been found in the wild since at least late December 2022.
The attack chains are quite consistent as malicious ZIP attachments focused on official meetings, elections and international forums act as a catalyst to detonate a multi-state process. Contained within the compressed file is a single LNK file that, when launched, triggers the execution of a PowerShell command that extracts and releases the TAR archive.
“Embedded PowerShell logic recursively searches the zip archive, reads it as raw bytes, and extracts the payload starting at a certain byte offset,” Dream explained. “The carved data is written to disk using an obfuscated invocation of the WriteAllBytes method. The extracted data is treated as a TAR archive and unpacked using the native tar.exe utility, demonstrating the consistent use of living-off-the-land binaries (LOLBins) throughout the infection chain.”
TAR archive contains three files –
- A legitimately signed executable DLL associated with AOMEI Backupper is vulnerable to search-order hijacking (“RemoveBackupper.exe”).
- An encrypted file containing the PlugX payload (“backupper.dat”)
- A malicious DLL that has been sideloaded using an executable (“comn.dll”) to load PlugX
Executing the legitimate executable displays a decoy PDF document to the user to give the victim the impression that nothing is wrong while, in the background, DOPLUGS is installed on the host.
Dream concluded, “The correlation between actual diplomatic events and the timing of detected inducements suggests that similar campaigns are likely to continue as geopolitical developments unfold.”
“Entities working in the diplomatic, government, and policy-oriented sectors should consequently consider malicious LNK distribution methods and DLL search-order hijacking via legitimate executables as persistent, high-priority threats rather than isolated or fleeting tactics.”
