Amaranth-Dragon
Amaranth-Dragon is a China-linked cyber-espionage threat actor tracked by Check Point Research, assessed as closely linked to or part of the APT41 ecosystem. The group conducted highly targeted operations throughout 2025 against government and law enforcement agencies in Southeast Asia, with reported targeting including Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines. Reporting describes the activity as focused on long-term intelligence collection rather than disruption, with campaigns often timed to local political, geopolitical, or regional security events and using tailored lure documents and filenames. Amaranth-Dragon rapidly weaponized the WinRAR path traversal vulnerability CVE-2025-8088, reportedly beginning exploitation on August 18, 2025, less than ten days after public disclosure. The group used malicious RAR archives to achieve code execution and persistence, including dropping CMD or BAT scripts into the Windows Startup folder. Earlier campaigns also used ZIP files containing LNK and BAT files. Check Point reported that initial delivery likely involved spear-phishing and cloud-hosted archives, including use of Dropbox. A core part of the actor’s tooling is a custom component called Amaranth Loader, delivered via DLL side-loading by a legitimate executable. Amaranth Loader retrieves encrypted payloads, obtains a decryption key, and executes the decrypted payload in memory. The most commonly reported payload is the open-source Havoc C2 framework. Check Point reported overlaps between Amaranth-Dragon tooling and APT41-associated tools including DodgeBox, Dustpan, and Dusttrap, as well as shared tradecraft such as DLL side-loading. The group also deployed TGAmaranth RAT, a Telegram-bot-controlled remote access trojan observed in Indonesia-focused campaigns. Reported capabilities include process listing, screenshots, command execution, file upload and download, and collection of personal identifiable information. Reporting also states TGAmaranth RAT includes anti-debugging and anti-EDR/anti-AV techniques. Amaranth-Dragon’s infrastructure was described as technically disciplined and tightly controlled. Command-and-control servers were protected by Cloudflare and geo-restricted to respond only to IP addresses from intended target countries, sometimes returning HTTP 403 to non-target geographies. Check Point also cited coding patterns, operational artifacts, and UTC+8 timing as indicators supporting the China nexus and linkage to the APT41 ecosystem. Known aliases and related naming in the provided content: Amaranth-Dragon, Amaranth Dragon. Related ecosystem linkage mentioned in the content: APT41.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Commercial & Professional Services
Where they're from
Attributed origin per open-source reporting.
- CN
Tradecraft
17 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
4 malware families attributed to this actor across reporting.
Associated vulnerabilities
2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.
Attack chains mounted by the adversary have been found to abuse CVE-2025-8088, a now-patched security flaw impacting RARLAB WinRAR that allows for arbitrary code execution when specially crafted archives are opened by targets. The exploitation of the vulnerability was observed about eight days after its public disclosure in August.
A high-severity security flaw in the TrueConf client video conferencing software has been exploited in the wild as a zero-day as part of a campaign targeting government entities in Southeast Asia dubbed TrueChaos. The vulnerability in question is CVE-2026-3502 (CVSS score: 7.8), a lack of integrity check when fetching application update code, allowing an attacker to distribute a tampered update, resulting in the execution of arbitrary code.
Observables
1 indicator attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Attributed with using the Havoc framework in intrusions targeting government and law enforcement agencies across Southeast Asia.
Referenced as a Chinese-nexus threat actor previously documented abusing the Havoc framework in real-world intrusions.
China-linked espionage activity cluster targeting government and law enforcement in Southeast Asia; linked to the APT41 ecosystem.
Referenced as conducting targeted espionage in Southeast Asia and weaponizing CVE-2025-8088. No further operational details are provided in this excerpt.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.