Amaranth-Dragon Targets Southeast Asian Governments Using New Exploits
Amaranth-Dragon, associated with APT-41, has conducted targeted cyber-espionage campaigns against governmental and law enforcement agencies across Southeast Asia since March 2025. The group has exploited a recently disclosed vulnerability in WinRAR (CVE-2025-8088) to deliver malicious payloads.
The attacks typically revolve around geopolitical events, using lures cleverly tied to contemporary issues. Amaranth-Dragon employed a custom loader known as the Amaranth Loader to execute their attacks. After exploiting CVE-2025-8088, which allows arbitrary code execution through specially crafted RAR archives, the group achieved persistence by dropping malicious scripts in the Startup folder. This loader then downloads encrypted payloads that often include the Havoc Command and Control (C2) Framework via infrastructure masked with geo-targeting capabilities.
The recent addition of TGAmaranth RAT, a Telegram-based remote access tool, enhances their operational complexity. This tool features anti-detection mechanisms and enables command and control via Telegram, allowing the adversaries to execute commands remotely on infected machines. Various campaigns have targeted countries like Malaysia, Indonesia, Thailand, and the Philippines, strategically timed to leverage local political climates.
Why This Matters
The implications of these attacks extend beyond technical breaches. Targets like government agencies face significant data theft risks that could jeopardize national security. For defenders, these incidents emphasize the necessity for constant patch management and user education to mitigate risks from new vulnerabilities exploited by sophisticated threat actors.
Defense Strategies
Implementing robust SIEM solutions, timely vulnerability management for newly disclosed CVEs, and monitoring for suspicious archive activity can mitigate risks. Organizations should establish comprehensive threat detection and response protocols to effectively counteract threats like those posed by Amaranth-Dragon.
Indicators of Compromise (IOCs)
- Malicious RAR Archives:
- Hash: 259819d1ae6421c2871f2ba0d128089036a0b29b92b8fa4d3e7f42036fc297a3b765e365e27cdce5e34d7e8ba4bb949aa5c491b950ab30688d5dbadc
- URLs:
dropbox.com/scl/fi/ln6q8ip8k3dvx6xxyi71s/gs.rar?rlkey=w9vg1ehva23iitfdt5oh2x6cjsoftwares.dailydownloads.net/products/microsoft/office/product-key/DB2F.activation.key
- TGAmaranth RAT:
- Hash: 803fb65a58808fd3752f9f76b5c75ca914196305
