好的,我现在需要帮用户总结一篇文章的内容,控制在一百个字以内。首先,我得仔细阅读文章,抓住主要信息。 文章标题提到中国相关的黑客组织Amaranth-Dragon在2025年针对东南亚政府机构。作者是Pierluigi Paganini,日期是2026年2月5日。内容主要讲CheckPoint报告中提到的这个黑客组织利用WinRAR漏洞进行网络间谍活动,影响了泰国、印尼、新加坡和菲律宾等国。 接下来,我需要提取关键点:中国关联的黑客组织、目标国家、攻击手段(WinRAR漏洞)、活动时间(2025年)、以及与APT41的关系。这些信息需要简洁明了地表达出来。 然后,我要确保总结不超过100个字,并且直接描述内容,不需要开头语。可能会用到“中国关联的黑客组织Amaranth-Dragon于2025年针对东南亚多国政府机构发起网络间谍攻击,利用WinRAR漏洞CVE-2025-8088进行入侵,并与APT41存在联系。”这样既涵盖了主要信息,又符合字数要求。 最后,检查是否有遗漏的重要细节,比如受影响的国家和攻击手段的具体性。确保总结准确传达文章的核心内容。 </think> 中国关联的黑客组织Amaranth-Dragon于2025年针对东南亚多国政府机构发起网络间谍攻击,利用WinRAR漏洞CVE-2025-8088进行入侵,并与APT41存在联系。 2026-2-5 10:9:16 Author: securityaffairs.com(查看原文) 阅读量:0 收藏
China-linked Amaranth-Dragon hackers target Southeast Asian governments in 2025
Pierluigi Paganini
February 05, 2026
China-linked hackers tracked as Amaranth-Dragon targeted government and law enforcement agencies across Southeast Asia in 2025.
CheckPoint says China-linked threat actors, tracked as Amaranth-Dragon, carried out cyber-espionage campaigns in 2025 targeting government and law enforcement agencies across Southeast Asia.
The activity is linked to the APT41 ecosystem and affected countries including Thailand, Indonesia, Singapore, and the Philippines.
“The attacks are performed by the Chinese group we track as Amaranth-Dragon. A previously unknown loader we call Amaranth Loader shares similarities with tools such as DodgeBox, Dustpan and Dusttrap associated with the Chinese hacking group known as APT-41 (FBI’s most wanted cybercriminal groups), suggesting a connection or shared resources between the groups.” reads the report published by CheckPoint.
The attacks were highly targeted and stealthy, aimed at long-term espionage rather than disruption. The threat actors limited their infrastructure to specific countries to avoid detection and moved quickly to exploit a newly disclosed WinRAR flaw (CVE-2025-8088).
The flaw CVE-2025-8088 was disclosed on August 8, 2025, with a public exploit released on August 14. Amaranth-Dragon began exploiting it days later, on August 18, 2025. The bug is a Windows WinRAR path-traversal issue that enables arbitrary code execution.
Victims were likely lured via spear-phishing emails with cloud-hosted malicious archives. Opening them triggered a loader using DLL side-loading, a tactic linked to APT41, which decrypted and ran the Havoc C2 framework entirely in memory.
Earlier campaigns used ZIP files with LNK and BAT scripts, while later ones targeted Indonesia with password-protected RARs delivering a TGAmaranth RAT controlled via a Telegram bot. The RAT supports process listing, screenshots, command execution, and file transfer. The C2 setup is hidden behind Cloudflare and restricted to specific countries, showing careful targeting and stealth.
Check Point Research found strong links between Amaranth-Dragon and APT-41. Both target government and law enforcement in Southeast Asia and use similar tools, including DLL sideloading, shared coding patterns, and UTC+8 operations, suggesting Amaranth-Dragon is part of the APT-41 ecosystem.
“The campaigns by Amaranth-Dragon exploiting the CVE-2025-8088 vulnerability highlight the recent trend of sophisticated threat actors rapidly weaponizing newly disclosed vulnerabilities. By leveraging a path traversal flaw in WinRAR, the group demonstrates its ability to adapt its tactics and infrastructure to maximize impact against highly targeted government and law enforcement organizations across Southeast Asian countries.” concludes the report. “The use of geo-restricted C&C servers, custom loaders, and open-source post-exploitation frameworks, such as Havoc, underscores the group’s technical proficiency and operational discipline. These attacks serve as a stark reminder of the importance of timely vulnerability management, user awareness, and robust defense-in-depth strategies. “
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, intelligence)
如有侵权请联系:admin#unsafe.sh