Targeted Cyber Espionage Across Southeast Asia
Threat actors affiliated with China have been conducting cyber espionage campaigns targeting government and law enforcement agencies across Southeast Asia throughout 2025.
Check Point Research is tracking this previously undocumented activity cluster under the moniker Amaranth-Dragon, which shares links to the APT 41 ecosystem. Targeted countries include Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines.
Campaign Characteristics
Many of the campaigns were timed to coincide with sensitive local political developments, official government decisions, or regional security events. By anchoring malicious activity in familiar, timely contexts, the attackers significantly increased the likelihood that targets would engage with the content.
The attacks demonstrate a high degree of stealth and control, with infrastructure configured to interact only with victims in specific target countries in an attempt to minimize exposure and detection.
WinRAR Vulnerability Exploitation
Attack chains have been found to abuse CVE-2025-8088, a now-patched security flaw impacting RARLAB WinRAR that allows arbitrary code execution when specially crafted archives are opened by targets.
The exploitation of this vulnerability was observed approximately eight days after its public disclosure in August 2025, demonstrating rapid adversary adaptation to newly disclosed vulnerabilities.
Tradecraft Assessment
Amaranth-Dragon's operations show:
- Narrowly focused and tightly scoped attacks indicating long-term persistence goals
- High operational security with controlled infrastructure and victim-specific interaction
- Geopolitical intelligence collection targeting regional governments and law enforcement
- Timing-based social engineering leveraging current events to increase success rates
Regional Security Implications
The campaign highlights the ongoing threat of state-sponsored cyber espionage in Southeast Asia. The group's sophisticated tradecraft and access to zero-day vulnerabilities indicate substantial resources and technical capability.
TL;DR
- China-linked Amaranth-Dragon conducts espionage campaigns across Southeast Asia- Operations target government and law enforcement agencies in 6+ countries
- Group exploits WinRAR CVE-2025-8088 for arbitrary code execution
- Campaigns timed to coincide with sensitive political/security events
- Advanced tradecraft and tight infrastructure control minimize detection