AMARANTH-DRAGON is a campaign cluster identified by Check Point Research as a nexus of APT-41-aligned activity that weaponised CVE-2025-8088 to conduct targeted espionage across Southeast Asia in 2025. According to Check Point Research, the group used weaponised WinRAR archives to drop a script in the Startup folder, enabling code execution and persistence, with the vulnerability publicly disclosed on 8 August 2025 and a public exploit tool appearing on GitHub four days earlier.
Campaigns began in March 2025 with Cambodia and expanded to other countries, including Thailand, Laos, Indonesia, Singapore and the Philippines, often aligning with local geopolitical events and employing geo‑restricted C2 infrastructure via Cloudflare and legitimate hosting services such as Dropbox.
By August 18, 2025, Indonesia was targeted using CVE-2025-8088, followed by further campaigns in September and October that year, some deploying the TGAmaranth RAT with a Telegram C&C and others using the Havoc C2 Framework. The operators demonstrate sophisticated anti‑EDR/anti‑AV techniques, loader sideloading, encrypted payloads, and time‑zone aware operations in UTC+8, reinforcing the need for vigilance, timely patching, and layered defence in government and critical infrastructure sectors.