Amaranth Dragon the new wave of cyberespionage against South-East Asian governments with CVE 2025 8088 and DLL side rolling

A new wave of cyber-espionage campaigns has been detected throughout 2025, targeting government agencies and law enforcement in South-East Asia. The security firm Check Point has identified this set of operations as Amaranth-Dragon, a group which, due to its arsenal and modus operandi, seems to be connected to the ecosystem known as APT41. The target countries include Cambodia, Thailand, Laos, Indonesia, Singapore and the Philippines, and the intrusions are characterized by their high level of stealth and are carefully timed by regional political and security events. The technical report of the Check Point is available in its public study on these operations at this link: rearch.checkpoint.com.

The central part of many of these campaigns has been the exploitation of a vulnerability in WinRAR, identified as CVE-2025-8088, which allows remote code execution when a specially prepared file is opened by the victim. According to the investigators, the attackers activated exploits against this failure just days after its public disclosure, which shows rapid operational capacity and technical preparation. Mitigation and monitoring of this vulnerability are recorded in the CVE repository: CVE-2025-8088.

As for the mechanics of the attack, the researchers describe a hybrid use of techniques: the adversaries distribute compressed files hosted in legitimate cloud services, such as Dropbox, using lures linked to official news or decisions to increase the likelihood that the recipient will open the file. Within the malicious file is included a dynamic library (DLL) - the call Amaranth Loader- which is activated by DLL side-rolling, a method that takes advantage of legitimate executables to load malicious libraries. The loading process includes the download of a key, the obtaining of an encrypted payload from another URL and its execution directly in memory; the final control of the compromised machine is raised through the open source C2 framework known as Havoc (more information in its repository: github.com / HavocFramework / Havoc).

Not all variants used exactly the same tactic. Initial versions observed in early 2025 resorted to ZIP files with direct Windows access (LNK) and batch scripts (BT) to trigger the side load of the DLL. Another campaign to Indonesia detected the delivery of a remote-access Trojan nicknamed TGAMaranth RAT, distributed through a password-protected RAR using a Telegram bot with predefined commands to exfilter information, take screenshots or transfer files. These variants often incorporate anti-analysis techniques and functionalities to avoid antivirus.

A striking operational feature of Amaranth-Dragon's intrusions is how the command and control infrastructure was configured to minimize exposure: C2 servers were protected by Cloudflare and were programmed to accept connections only from IP addresses belonging to the country or countries attacked, thus reducing visibility and risk of detection outside the target area. Together with compilation marks, time zones and infrastructure management, all this points to a team well funded and disciplined operating within the UTC + 8 time range, according to analysts.

Attribution to APT41 is based on technical overlaps: tool similarities, code development patterns - for example, creating threads within exported functions to run malicious code - and reusing tactics like DLL side-rolling. However, it is important to remember that between actors attributed to the same country there is often an exchange of tools and techniques, so that the borders between groups can be diffuse.

In parallel to this finding, another firm - Dream Research Labs, based in Tel Aviv - has documented a different campaign, called PlugX Diplomacy, attributed to the actor known as Mustang Panda. In that operation, the attackers did not have any new exploits, and they bet on supplanting confidence: attachments that simulate diplomatic summaries or international policy documents were sufficient to compromise the recipient. The execution vector also revolved around compressed files containing a single LNK. When running it, a PowerShell command was launched that extracted an TAR and deployed a file chain that included a signed executable vulnerable to DLL search, a malicious DLL and an encrypted file with PlugX payload. The Dream report is available here: dreamgroup.com. The technique of using legitimate executables to load malicious libraries is listed in the ATT & CK framework as DLL side-rolling.

Both waves leave clear lessons for exposed administrations and organizations: the attackers combine contextualized lures with abuse of services and legitimate binaries to reduce obvious signs of commitment, and timed their actions with real events to increase the credibility of bait. In addition, the use of third-party-protected infrastructure and traffic geofencing demonstrate that attackers invest in low-profile operations to maintain long-term access and collect geopolitical intelligence.

From the defence perspective it is crucial to apply patches and updates as soon as they are available (in this case, update WinRAR against the mentioned CVE), restrict the automatic execution of contents from compressed files or unverified links, harden email controls to reduce speed-phishing and monitor signals from side-loading DLL and execution of unusual processes in endpoints. It is also recommended to review proxy and firewall configurations to detect connection patterns with legitimate cloud services that may be used as repositories for malicious loads. To better understand the phenomenon and the techniques used, reference frameworks such as MITRE ATT & CK provide detailed context on tactics and techniques observed in this type of campaign: attack.mitre.org.

In a scenario where strategic information has direct value in the international arena, these campaigns recall that cybersecurity is one more piece of foreign policy and national security. The teams responsible for diplomacy, defence and law and order must assume that they are not isolated incidents but sustained and adaptive operations, and design defenses that combine agile parking, staff training and network and endpoint visibility to detect early signals before intrusions become long-term penetrations.