New cyber espionage campaigns linked to Chinese threat actors have been identified, targeting government and law enforcement agencies across Southeast Asia throughout 2025. This sophisticated activity, dubbed “Amaranth-Dragon” by cybersecurity firm Check Point Research, exhibits a high degree of stealth and focus, indicating a long-term strategy for geopolitical intelligence gathering.
The targeted nations include Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines. These campaigns often coincide with significant local political developments, governmental decisions, or regional security events, making the lures more believable for unsuspecting targets. The operational security displayed by the attackers, including a meticulously configured infrastructure that restricts access to specific target countries, aims to minimize detection.
Amaranth-Dragon’s Sophisticated Tactics and Infrastructure
A key characteristic of Amaranth-Dragon’s tradecraft is its advanced stealth capabilities. The campaigns are “highly controlled,” and the attack infrastructure is engineered to interact only with victims in specific target countries. This approach is designed to significantly reduce the actors’ exposure and maintain their operational anonymity.
The attack chains observed frequently exploit CVE-2025-8088, a previously unknown vulnerability in RARLAB WinRAR. This flaw allows for arbitrary code execution when targets open specially crafted archives. The threat actors were quick to operationalize this vulnerability, exploiting it approximately eight days after its public disclosure in August 2025, demonstrating their technical maturity and preparedness.
While the exact initial access vector for these attacks remains unconfirmed, the highly targeted nature and the use of tailored lures suggest spear-phishing emails as a likely method. These emails likely deliver malicious archive files hosted on cloud platforms like Dropbox, which can help bypass traditional perimeter security measures and reduce suspicion.
Inside the malicious archives, researchers have identified a component named “Amaranth Loader.” This is launched using DLL side-loading, a tactic frequently employed by Chinese threat actors. The loader shares similarities with tools like DodgeBox, DUSTPAN (StealthVector), and DUSTTRAP, previously associated with the APT41 hacking group, suggesting a potential connection or shared resources.
Upon execution, Amaranth Loader contacts an external server to retrieve an encryption key. This key is then used to decrypt a payload obtained from a different URL. This payload is subsequently executed directly in memory. The final stage of the attack often involves the deployment of the open-source command-and-control (C2) framework known as Havoc.
Earlier iterations of the campaign, detected in March 2025, utilized ZIP files containing Windows shortcuts (LNK) and batch (.BAT) files to execute Amaranth Loader via DLL side-loading. A similar attack sequence was also observed in an October 2025 campaign targeting the Philippines Coast Guard, employing specific lures related to the organization.
In a separate campaign targeting Indonesia in early September 2025, the threat actors opted to distribute a password-protected RAR archive via Dropbox. This archive delivered a fully functional remote access trojan (RAT) codenamed “TGAmaranth RAT” instead of Amaranth Loader. This RAT leverages a hard-coded Telegram bot for its C2 communications.
The TGAmaranth RAT incorporates anti-debugging and anti-antivirus techniques to evade detection and analysis. Its command set includes functionalities for listing running processes, capturing screenshots, executing shell commands, downloading files, and uploading files to the infected machine.
The C2 infrastructure for these operations is secured by Cloudflare and configured to accept traffic exclusively from IP addresses within the targeted countries. This sophisticated setup highlights how advanced threat actors can leverage legitimate, trusted infrastructure to conduct clandestine operations and targeted attacks.
The observed overlaps in malware, development style, and infrastructure management, particularly the compilation timestamps and campaign timing aligning with China Standard Time (UTC+8), strongly indicate that Amaranth-Dragon is closely linked to, or an integral part of, the APT41 ecosystem. This continuation of established targeting and tool development patterns in the region is a significant concern.
Mustang Panda Deploys PlugX Variant
Meanwhile, another Chinese nation-state group, known as Mustang Panda, has been implicated in a distinct campaign dubbed “PlugX Diplomacy.” Between December 2025 and mid-January 2026, this group targeted officials involved in diplomacy, elections, and international coordination across various regions.
This operation reportedly relied on impersonation and trust, rather than exploiting software vulnerabilities. Victims were tricked into opening files disguised as U.S.-linked diplomatic summaries or policy documents. The mere act of opening these files was sufficient to initiate the compromise.
These phishing documents pave the way for deploying a custom variant of PlugX, a long-standing malware used by Mustang Panda for covert data harvesting and maintaining persistent access. This variant, identified as DOPLUGS, has been observed in the wild since at least late December 2022.
The attack chains for PlugX Diplomacy typically involve malicious ZIP attachments containing lures related to official meetings, elections, and international forums. These zip files contain a single LNK file that, when executed, triggers a PowerShell command. This command extracts and deploys a TAR archive.
The embedded PowerShell logic extracts the payload from the ZIP archive and writes it to disk. The extracted data is treated as a TAR archive and unpacked using the native `tar.exe` utility, demonstrating a consistent reliance on “living-off-the-land” binaries (LOLBins) throughout the infection chain.
The TAR archive contains three key files: a legitimate signed executable from AOMEI Backupper vulnerable to DLL search-order hijacking (“RemoveBackupper.exe”), an encrypted PlugX payload (“backupper.dat”), and a malicious DLL (“comn.dll”) that is sideloaded by the executable to load PlugX.
Once executed, the legitimate AOMEI Backupper executable displays a decoy PDF document to the user, creating a false sense of normalcy. In the background, DOPLUGS is installed on the compromised host.
The correlation between actual diplomatic events and the timing of these lures suggests that similar campaigns are likely to continue as geopolitical developments evolve. Organizations operating in diplomatic, governmental, and policy-oriented sectors should consider malicious LNK distribution methods and DLL search-order hijacking via legitimate executables as persistent, high-priority threats.
The Hacker News editorial team covers the latest in cybersecurity, data breaches, privacy risks, and digital defense. Our newsroom delivers verified updates and in-depth analysis to keep professionals and readers informed on global cyber threats.