Security researchers have identified a new cyber espionage campaign targeting government and law enforcement agencies across Southeast Asia throughout 2025. The threat actors, linked to China, are exploiting a known vulnerability in the popular WinRAR file compression software to gain access to sensitive systems.

Check Point Research is tracking the activity under the name Amaranth-Dragon. The cybersecurity firm stated the group shares connections with the broader APT 41 ecosystem, a Chinese state-sponsored hacking collective known for espionage and financial theft. Countries targeted include Cambodia, with other nations in the region also believed to be affected.

Exploitation of a Patched Vulnerability

The campaign leverages a security flaw in WinRAR, tracked as CVE-2023-38831. This vulnerability allows malicious actors to execute arbitrary code when a user opens a seemingly harmless file, such as a ZIP archive. Despite a patch being released by the software developer in August 2023, unpatched systems remain vulnerable to this attack method.

Attackers typically deliver the exploit through spear-phishing emails containing booby-trapped archive files. Once executed, the malware establishes a foothold on the victim’s computer, enabling data theft and further network penetration.

Attribution and Strategic Goals

Attributing cyber attacks to specific nation-states is a complex process. Check Point Research bases its assessment of Chinese affiliation on technical indicators, including infrastructure overlap, code similarities, and targeting patterns consistent with previous APT 41 operations. The focus on government and law enforcement entities in Southeast Asia suggests intelligence gathering as a primary objective.

Such campaigns aim to collect geopolitical intelligence, monitor internal security operations, and potentially steal sensitive diplomatic communications. The targeting aligns with China’s strategic interests in the Southeast Asian region.

Wider Implications for Cybersecurity

The use of a known, patched vulnerability highlights a persistent challenge in global cybersecurity. Many organizations, including government agencies, struggle with timely patch management, leaving them exposed to exploits long after fixes are available. This gap provides a low-cost, high-reward entry point for sophisticated threat actors.

The Amaranth-Dragon campaign demonstrates that advanced persistent threat groups continue to refine their techniques. They blend sophisticated social engineering with reliable, unpatched software flaws to bypass security defenses.

Recommended Defensive Measures

Security experts recommend several immediate actions to mitigate this threat. Organizations should urgently apply the WinRAR patch to version 6.23 or later. Employee training on identifying spear-phishing attempts is also critical, as human error often enables initial access.

Network monitoring for unusual outbound connections and the deployment of endpoint detection and response tools can help identify compromises. Applying the principle of least privilege, where users have only the access necessary for their work, can limit an attacker’s movement within a network.

The discovery of the Amaranth-Dragon campaign is expected to prompt renewed warnings from national cybersecurity agencies across Southeast Asia. Governments and critical infrastructure operators are likely to accelerate audits of their software patch status, particularly for commonly exploited applications like WinRAR. Continued monitoring by private security firms will be crucial for identifying new targets and variations of the attack methodology in the coming months.

Source: Check Point Research