China linked threat actors have been attributed to a series of tightly controlled cyber espionage campaigns targeting government and law enforcement agencies across Southeast Asia throughout 2025. According to findings from Check Point Research, the activity cluster tracked as Amaranth Dragon shares connections with the APT41 ecosystem and has focused on countries including Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines. Researchers noted that many of the campaigns were timed around sensitive political developments, official government decisions, and regional security events, increasing the likelihood that carefully selected targets would engage with malicious content crafted to appear relevant and legitimate.
The campaigns stand out for their operational discipline and stealth. Check Point described the operations as narrowly focused and tightly scoped, reflecting a strategy aimed at long term geopolitical intelligence collection rather than broad opportunistic compromise. Attack infrastructure was configured to communicate only with victims located in specific targeted countries, reducing the risk of exposure. A central component of the intrusion chain involved exploitation of CVE 2025 8088, a now patched vulnerability in RARLAB WinRAR that allows arbitrary code execution when a specially crafted archive is opened. The vulnerability was weaponized within approximately eight days of public disclosure in August, highlighting the group’s technical readiness. Victims received malicious RAR files believed to have been distributed through spear phishing emails and hosted on trusted cloud platforms such as Dropbox to bypass conventional perimeter defenses. The archives contained a malicious DLL named Amaranth Loader, executed via DLL side loading, a tactic frequently associated with Chinese state linked actors. Once launched, the loader contacted an external server to retrieve an encryption key used to decrypt a payload fetched from another URL and executed directly in memory. The final stage deployed Havoc, an open source command and control framework.
Earlier iterations of the campaign observed in March 2025 relied on ZIP files containing Windows shortcut and batch files to decrypt and run Amaranth Loader using similar side loading techniques. In late October, a campaign themed around the Philippines Coast Guard followed a comparable pattern. In September 2025, actors targeting Indonesia shifted tactics by distributing a password protected RAR archive through Dropbox that delivered TGAmaranth RAT instead of the loader. This remote access trojan used a hard coded Telegram bot for command and control and incorporated anti debugging and anti antivirus measures to evade detection. The malware supported commands to list running processes, capture screenshots, execute shell commands, and transfer files to and from infected systems. The command infrastructure was shielded by Cloudflare and restricted to IP addresses within the designated target country for each operation, further reinforcing operational control. Overlaps in tooling such as similarities with DodgeBox, DUSTPAN, and DUSTTRAP, along with development patterns and infrastructure management practices aligned with UTC plus 8 time zone activity, suggest a close relationship with APT41 or shared resources within that ecosystem.
Separately, Tel Aviv based Dream Research Labs disclosed another China linked campaign attributed to Mustang Panda, active between December 2025 and mid January 2026 and dubbed PlugX Diplomacy. Unlike the WinRAR exploitation, this operation relied on impersonation and trust, distributing malicious ZIP attachments themed around diplomatic meetings, elections, and international forums. Opening a single LNK file triggered a PowerShell command that extracted a TAR archive using native tools, demonstrating consistent use of living off the land binaries. The archive contained a legitimate signed executable vulnerable to DLL search order hijacking, an encrypted PlugX payload known as DOPLUGS, and a malicious DLL used to sideload the malware. While a decoy PDF was displayed to avoid suspicion, the PlugX variant was installed silently to harvest data and maintain persistent access. Researchers observed a strong correlation between real world diplomatic events and the timing of lures, underscoring continued risks for governmental and policy oriented organizations across multiple regions.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
