Threat actors linked to China have been blamed for a new wave of cyber-espionage campaigns targeting government and law-enforcement agencies across South-East Asia during 2025, according several media reports.
Researchers at Check Point Research said they are tracking a previously undocumented cluster, which they have named Amaranth-Dragon, that has targeted Cambodia, Thailand, Laos, Indonesia, Singapore and the Philippines.
The activity shows technical and operational links to APT41, a well-known Chinese hacking ecosystem.
“Many of the campaigns were timed to coincide with sensitive local political developments, official government decisions, or regional security events,” Check Point said. “By anchoring malicious activity in familiar, timely contexts, the attackers significantly increased the likelihood that targets would engage with the content.”
The firm described the operations as tightly scoped and deliberately restrained, suggesting an effort to establish long-term access rather than cause disruption. Infrastructure was configured to communicate only with victims in specific countries, reducing the risk of discovery.
A key technique involved exploiting CVE-2025-8088, a now-patched flaw in WinRAR that allows arbitrary code execution when a malicious archive is opened. Check Point said the group began exploiting the vulnerability within days of its public disclosure in August.
“The speed and confidence with which this vulnerability was operationalised underscores the group’s technical maturity and preparedness,” the researchers said.
Although the initial infection vector remains unclear, analysts believe spear-phishing emails were used to distribute malicious RAR files hosted on cloud services such as Dropbox. Once opened, the archive launches a loader using DLL side-loading, a tactic frequently associated with Chinese groups.
The loader then retrieves an encryption key from one server, decrypts a payload from another location and executes it directly in memory.
The final stage deploys Havoc, an open-source command-and-control framework.
Earlier versions of the campaign relied on ZIP files containing Windows shortcuts and batch files, while a separate operation in Indonesia delivered a custom remote-access trojan known as TGAmaranth RAT. That malware used a hard-coded Telegram bot for command and control and supported functions such as taking screenshots, running shell commands and transferring files.
Check Point said the command infrastructure was shielded by Cloudflare and restricted by geography, accepting traffic only from targeted countries. Compilation times and working patterns pointed to operators based in China’s time zone.
“In addition, the development style closely mirrors established APT41 practices,” the company said, adding that overlaps in tools and techniques suggest shared resources within the ecosystem.
The findings come as another Chinese group, Mustang Panda, was linked to a separate espionage campaign uncovered by Dream Research Labs. The operation, dubbed PlugX Diplomacy, targeted officials involved in diplomacy, elections and international coordination between December 2025 and mid-January 2026.
“Rather than exploiting software vulnerabilities, the operation relied on impersonation and trust,” Dream said.
Victims were lured into opening files disguised as diplomatic or policy documents, which triggered infection automatically.
The files installed a modified version of PlugX, a long-used Chinese espionage tool, through a multi-step process involving Windows shortcuts, PowerShell scripts and DLL search-order hijacking using a legitimate signed executable. A decoy document was shown to victims while the malware quietly embedded itself in the system.
“The correlation between actual diplomatic events and the timing of detected lures suggests that analogous campaigns are likely to persist as geopolitical developments unfold,” Dream concluded.
