Espionage Goes Stealth: China-Linked Hackers Exploit WinRAR Flaw in Targeted Attacks Across Southeast Asia
A chilling new report from Check Point Research reveals a sophisticated cyber espionage campaign, dubbed Amaranth-Dragon, targeting government and law enforcement agencies across Southeast Asia. This isn't your average phishing scam; it's a meticulously planned operation with a chilling level of precision. But here's where it gets even more alarming: the attackers are leveraging a recently patched vulnerability in WinRAR, a widely used file compression tool, to gain access to sensitive systems.
This campaign, active throughout 2025, has set its sights on Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines. Check Point researchers believe Amaranth-Dragon is linked to the notorious APT 41 group, known for its advanced hacking capabilities. What's truly concerning is the campaign's timing β many attacks coincided with sensitive political events, government decisions, or regional security issues. This strategic timing increases the likelihood of targets falling for the ruse, as the malicious content appears relevant and urgent.
And this is the part most people miss: the attackers are masters of stealth. Their infrastructure is highly controlled, interacting only with victims in specific target countries, minimizing the risk of detection. They exploit CVE-2025-8088, a WinRAR vulnerability allowing remote code execution, with alarming speed and precision. This vulnerability, patched in August 2025, was weaponized within days of its public disclosure, highlighting the group's technical prowess and preparedness.
The attack chain is complex. Malicious RAR files, disguised as legitimate documents related to regional affairs, are distributed via spear-phishing emails. These files contain a custom-built loader, Amaranth Loader, which employs DLL side-loading, a tactic favored by Chinese threat actors. This loader fetches an encryption key from a remote server, decrypts a payload, and executes it directly in memory, leaving minimal traces. The final payload is often Havoc, an open-source command-and-control framework, allowing the attackers to maintain persistent access to compromised systems.
Interestingly, earlier versions of the campaign used ZIP files with Windows shortcuts and batch scripts to execute the loader. A campaign targeting the Philippines Coast Guard in October 2025 employed similar tactics. Another campaign, aimed at Indonesia in September 2025, delivered a password-protected RAR archive containing a remote access trojan (RAT) named TGAmaranth RAT. This RAT, controlled via a Telegram bot, allows attackers to execute commands, capture screenshots, and exfiltrate data from infected machines.
The use of legitimate cloud platforms like Dropbox for hosting malicious files and Cloudflare for securing their C2 infrastructure demonstrates the attackers' ability to exploit trusted services for their nefarious purposes. This raises a crucial question: how can we effectively defend against such sophisticated attacks that leverage legitimate tools and services?
The connection between Amaranth-Dragon and APT41 is strengthened by similarities in malware tools, development styles, and operational patterns. Compilation timestamps, campaign timing, and infrastructure management all point to a well-organized team operating within China's time zone.
But the threat doesn't stop there. Dream Research Labs has uncovered another campaign, dubbed PlugX Diplomacy, orchestrated by the Chinese nation-state group Mustang Panda. This campaign targets diplomats, election officials, and international coordinators, using a different tactic: impersonation and trust. Victims are lured into opening seemingly legitimate diplomatic documents, which secretly deploy a customized variant of PlugX malware, known as DOPLUGS. This malware has been active since late 2022, allowing attackers to steal data and maintain persistent access to compromised systems.
PlugX Diplomacy relies on malicious ZIP attachments containing LNK files that trigger PowerShell commands. These commands extract a TAR archive containing a legitimate executable vulnerable to DLL hijacking, an encrypted PlugX payload, and a malicious DLL. The executable displays a decoy PDF, while DOPLUGS is silently installed in the background.
The correlation between these campaigns and real-world diplomatic events suggests a disturbing trend: cyber espionage is becoming increasingly targeted and sophisticated, exploiting trust and timely information to infiltrate sensitive systems.
As geopolitical tensions rise, organizations operating in diplomatic, governmental, and policy-oriented sectors must be hyper-vigilant. Malicious LNK files, DLL hijacking, and the exploitation of legitimate software vulnerabilities pose significant threats. Staying ahead of these evolving tactics requires constant vigilance, robust cybersecurity measures, and a deep understanding of the ever-changing threat landscape.
What do you think? Are we doing enough to combat these sophisticated cyber espionage campaigns? How can we better protect ourselves from attacks that exploit trust and legitimate tools? Let us know in the comments below.
Stay informed and stay secure. Follow us on Google News, Twitter, and LinkedIn for more exclusive cybersecurity insights.
