{
	"id": "f5520c48-7724-430f-84fc-db1b4ceacf71",
	"created_at": "2026-04-10T03:20:48.270079Z",
	"updated_at": "2026-04-10T13:12:44.616867Z",
	"deleted_at": null,
	"sha1_hash": "3abbf0ff9f33013964e34b8f1d7af4303e628981",
	"title": "Amaranth‑Dragon Espionage Targeting Southeast Asia Exposed",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51481,
	"plain_text": "Amaranth‑Dragon Espionage Targeting Southeast Asia Exposed\r\nBy rohann@checkpoint.com\r\nPublished: 2026-02-04 · Archived: 2026-04-10 02:00:16 UTC\r\nExecutive Summary\r\nCheck Point Research uncovered highly targeted cyber espionage campaigns aimed at government and law\r\nenforcement agencies across the ASEAN region throughout 2025.\r\nThe activity is attributed to Amaranth-Dragon, a previously untracked threat actor assessed to be closely\r\nlinked to the China-affiliated APT 41 ecosystem.\r\nThe group weaponized newly disclosed vulnerabilities within days, including a critical WinRAR flaw, and\r\npaired them with lures tied to real-world political and security events.\r\nThese operations demonstrate state-level discipline and precision, using country-restricted infrastructure,\r\ntrusted cloud services, and stealthy tooling to quietly collect intelligence.\r\nA New Cyber Espionage Campaign Unfolds in Southeast Asia\r\nThroughout 2025, Check Point Research observed a series of cyber espionage campaigns quietly unfolding across\r\nSoutheast Asia. Unlike opportunistic cyber crime, these operations were narrowly focused on government\r\ninstitutions and law enforcement agencies, suggesting a clear objective: long-term geopolitical intelligence\r\ncollection.\r\nMany of the campaigns were timed to coincide with sensitive local political developments, official government\r\ndecisions, or regional security events. By anchoring malicious activity in familiar, timely contexts, the attackers\r\nsignificantly increased the likelihood that targets would engage with the content.\r\nOur analysis attributes these campaigns to Amaranth-Dragon, a threat group not previously documented publicly.\r\nTooling and operational patterns show strong similarities to APT-41, one of the most active and capable Chinese-affiliated cyber espionage groups, suggesting shared resources, knowledge, or direct affiliation.\r\nThe campaigns were designed to be highly controlled. Attack infrastructure was configured to interact only with\r\nvictims in specific target countries, limiting exposure beyond intended targets. Once access was established,\r\nattackers deployed tools commonly used in legitimate security testing, repurposed here to maintain persistent\r\naccess.\r\nExploiting Speed: Turning Disclosure Into Opportunity\r\nA critical moment in Amaranth-Dragon’s activity came with the disclosure of CVE-2025-8088, a vulnerability\r\naffecting the popular WinRAR compression utility. Within days of public disclosure and shortly after exploit, code\r\nappeared online. The group had already incorporated the vulnerability into live campaigns. The speed and\r\nhttps://blog.checkpoint.com/research/amaranth-dragon-targeted-cyber-espionage-campaigns-across-southeast-asia/\r\nPage 1 of 3\n\nconfidence with which this vulnerability was operationalized underscores the group’s technical maturity and\r\npreparedness.\r\nCampaigns Built Around Countries, Not Volume\r\nAmaranth-Dragon campaigns\r\nSince March 2025, Check Point Research has tracked multiple Amaranth-Dragon campaigns targeting Cambodia,\r\nThailand, Laos, Indonesia, Singapore, and the Philippines. Each operation was tightly scoped, typically focusing\r\non just one or two countries at a time.\r\nRather than relying on mass distribution, the attackers tailored their lures to local political, economic, or military\r\ndevelopments, such as government salary announcements or joint regional exercises. While the exact delivery\r\nchannel could not be conclusively confirmed, the highly targeted nature of the campaigns strongly suggests the\r\nuse of phishing emails sent directly to intended victims. Malicious archive files were often hosted on well-known\r\ncloud platforms, lending an air of legitimacy and reducing suspicion.\r\nA standout characteristic of these campaigns was strict geographic enforcement. The attackers’ infrastructure\r\nactively rejected connections from outside the intended target countries, limiting exposure and complicating\r\nexternal investigation. This level of control is rarely seen in criminal operations and is strongly associated with\r\nstate-aligned espionage.\r\nOver time, the campaigns evolved in sophistication, culminating in late-2025 operations targeting the Philippine\r\ngovernment and maritime agencies, carefully timed around official national events.\r\nAttribution: A Clear Line to APT-41\r\nhttps://blog.checkpoint.com/research/amaranth-dragon-targeted-cyber-espionage-campaigns-across-southeast-asia/\r\nPage 2 of 3\n\nMultiple technical and operational indicators link Amaranth-Dragon to APT-41, a long-running China-linked\r\ncyber espionage group known for targeting governments worldwide.\r\nBoth groups share a focus on Southeast Asian government and law enforcement entities, as well as similar\r\napproaches to tool development and campaign execution. Patterns in infrastructure management, operational\r\ntiming, and development practices point to a well-resourced team operating within the UTC+8 time zone.\r\nTaken together, these overlaps strongly suggest that Amaranth-Dragon is either closely affiliated with or operating\r\nas part of the broader APT-41 ecosystem, extending established espionage efforts in the region under a new\r\noperational identity.\r\nWhat This Means for Defenders\r\nThese campaigns underscore how modern cyber espionage combines speed, precision, and geopolitical intent.\r\nVulnerabilities can be weaponized within days of disclosure, and carefully tailored phishing attacks can bypass\r\ntraditional perimeter defenses. For government agencies and organizations in sensitive sectors, this highlights the\r\nimportance of rapid patching, strong visibility into file-based threats, and layered security across both endpoints\r\nand communication channels.\r\nCheck Point Harmony Endpoint and Harmony Email \u0026 Collaboration support these efforts by helping\r\norganizations reduce exposure to targeted, file-based attacks like those observed in this activity.\r\nRead the Full Research Report\r\nThis blog highlights key findings from an ongoing investigation. For full technical details, campaign timelines,\r\nand indicators of compromise, read the complete Check Point Research report here.\r\nSource: https://blog.checkpoint.com/research/amaranth-dragon-targeted-cyber-espionage-campaigns-across-southeast-asia/\r\nhttps://blog.checkpoint.com/research/amaranth-dragon-targeted-cyber-espionage-campaigns-across-southeast-asia/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.checkpoint.com/research/amaranth-dragon-targeted-cyber-espionage-campaigns-across-southeast-asia/"
	],
	"report_names": [
		"amaranth-dragon-targeted-cyber-espionage-campaigns-across-southeast-asia"
	],
	"threat_actors": [],
	"ts_created_at": 1775791248,
	"ts_updated_at": 1775826764,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3abbf0ff9f33013964e34b8f1d7af4303e628981.pdf",
		"text": "https://archive.orkl.eu/3abbf0ff9f33013964e34b8f1d7af4303e628981.txt",
		"img": "https://archive.orkl.eu/3abbf0ff9f33013964e34b8f1d7af4303e628981.jpg"
	}
}