Executive Summary

Security researchers have identified a new advanced persistent threat (APT) cluster, named Amaranth-Dragon, linked to a series of sophisticated cyber espionage attacks. The group, which shows operational and tooling overlaps with the notorious Chinese threat actor APT41, has been targeting government and law enforcement entities across Southeast Asia since 2025. Amaranth-Dragon has shown agility by weaponizing CVE-2025-8088, a critical WinRAR vulnerability, just days after its public disclosure. The group employs a custom toolkit, including the Amaranth Loader and a new TGAmaranth RAT, which uses Telegram for C2, to maintain stealth and exfiltrate data. The attacks are highly targeted and appear to align with China's geopolitical interests in the region.

Threat Overview

Amaranth-Dragon is a focused espionage group with a clear mission: to gather intelligence from government and law enforcement agencies in Southeast Asia. Targeted countries include Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines. The timing of their attacks often correlates with sensitive political events in these nations, reinforcing the assessment of a state-sponsored intelligence-gathering motive.

The group's primary initial access vector is the exploitation of CVE-2025-8088, a vulnerability in the popular WinRAR file archiving utility. The attackers craft malicious RAR archives that, when opened by a victim, execute arbitrary code. This demonstrates the group's ability to quickly operationalize publicly disclosed vulnerabilities.

Technical Analysis

Amaranth-Dragon's attack chain is designed for stealth and persistence.

1. Initial Access: The attack begins with the delivery of a malicious RAR archive, likely via spear-phishing. This archive exploits CVE-2025-8088 to execute a payload on the victim's machine.
2. Loading and Evasion: The initial payload is the Amaranth Loader, a custom tool responsible for delivering the main implant. It uses encryption to hide the final payload and employs techniques to evade detection.
3. C2 and Implantation: The loader deploys one of two primary implants:
   • Havoc C2 Framework: A known post-exploitation framework that provides a wide range of capabilities for lateral movement, credential theft, and data exfiltration.
   • TGAmaranth RAT: A new, custom Remote Access Trojan (RAT) discovered in this campaign. This RAT is notable for its use of a Telegram bot for command-and-control. By using the Telegram API, the C2 traffic is encrypted and blends in with legitimate messaging app traffic, making it difficult to block or detect. The RAT also includes anti-EDR and anti-AV features.
4. Infrastructure Obfuscation: The group protects its C2 servers using Cloudflare, which masks the true IP address of the infrastructure. Furthermore, the C2 servers are often configured to only respond to requests originating from IP addresses within the targeted countries, a technique known as geofencing, which frustrates analysis by external security researchers.

Attribution to a China-based actor is supported by the group's operational hours (aligning with UTC+8), file compilation times, and overlaps with tools and infrastructure used by the broader APT41 nexus.

MITRE ATT&CK Mapping

• T1566.001 - Phishing: Spearphishing Attachment: Likely delivery method for the malicious RAR archive.
• T1190 - Exploit Public-Facing Application: Exploitation of the CVE-2025-8088 WinRAR vulnerability.
• T1071.001 - Application Layer Protocol: Web Protocols: Use of the Telegram API over HTTPS for C2.
• T1140 - Deobfuscate/Decode Files or Information: The Amaranth Loader decrypts the final payload.
• T1562.001 - Impair Defenses: Disable or Modify Tools: The TGAmaranth RAT includes anti-EDR/AV capabilities.
• T1219 - Remote Access Software: Use of the Havoc C2 framework.

Impact Assessment

The Amaranth-Dragon campaign poses a significant threat to the national security and political stability of the targeted Southeast Asian nations. By compromising government and law enforcement agencies, the threat actor can gain access to sensitive diplomatic strategies, law enforcement intelligence, and citizen data. This intelligence can provide a strategic advantage to the sponsoring state (presumed to be China) in regional negotiations and foreign policy. The use of custom, stealthy tools indicates a long-term commitment to maintaining access and exfiltrating data from these high-value networks.

Cyber Observables for Detection

Detection & Response

1. Network Traffic Analysis: Implement D3-NTA: Network Traffic Analysis. Specifically, monitor for and alert on outbound connections to api.telegram.org. While Telegram is a legitimate application, its use for C2 from government servers is highly anomalous and a strong indicator of compromise.
2. Endpoint Detection: Deploy EDR to detect the execution chain originating from WinRAR. Hunt for the presence of Amaranth Loader or TGAmaranth RAT artifacts. Use D3-PA: Process Analysis to identify suspicious parent-child process relationships.
3. Threat Intelligence: Ingest threat intelligence feeds that provide IOCs (IPs, domains, hashes) related to Amaranth-Dragon and APT41 and create detection rules in your SIEM and firewalls.

Mitigation

1. Patch Management: Ensure all instances of WinRAR are updated to a version that patches CVE-2025-8088. This is the most critical step to prevent initial access. This is a direct application of D3-SU: Software Update.
2. Network Egress Filtering: Block outbound connections to the Telegram API (api.telegram.org) and other unauthorized messaging or cloud services from all corporate servers and sensitive workstations. This aligns with D3-OTF: Outbound Traffic Filtering.
3. Application Hardening: Use attack surface reduction (ASR) rules to block Office applications and other common software from creating executable content or spawning child processes.
4. User Training: Train users to be suspicious of unsolicited archive files (.rar, .zip) and to report them to security teams.