ACCORDING to Check Point Research, China-linked threat actors tracked as Amaranth-Dragon carried out cyber-espionage campaigns in 2025 targeting government and law enforcement agencies across Southeast Asia, with activity linked to the APT-41 ecosystem and affecting Thailand, Indonesia, Singapore, and the Philippines.
The campaigns were highly targeted and stealthy, aimed at long-term espionage rather than disruption, and attackers limited their infrastructure to specific countries to avoid detection while exploiting a newly disclosed WinRAR flaw, CVE-2025-8088. The flaw was disclosed on 8 August 2025, with a public exploit released on 14 August, and Amaranth-Dragon began exploiting it days later on 18 August 2025.
Victims were likely lured via spear-phishing emails containing cloud-hosted malicious archives, triggering a loader that used DLL sideloading and operated the Havoc C2 framework entirely in memory, a tactic linked to APT-41.
Earlier campaigns used ZIP files with LNK and BAT scripts, while later operations targeted Indonesia with password-protected RARs delivering a TGAmaranth RAT controlled via a Telegram bot, the RAT capable of process listing, screenshots, command execution and file transfer, with the C2 setup hidden behind Cloudflare and georestricted to specific countries.