Amaranth-Dragon: China-Backed APT Exploits WinRAR Flaw in Southeast Asia Espionage

China-Backed Amaranth-Dragon Exploits WinRAR Vulnerability in Targeted Espionage

Check Point Research has identified a previously undocumented cyber espionage campaign—dubbed Amaranth-Dragon—attributed to China-linked threat actors. The operation, active throughout 2025, has targeted government and law enforcement agencies across Southeast Asia, including Cambodia, with a focus on intelligence gathering.

Technical Details: WinRAR Exploit at the Core

The campaign leverages CVE-2023-38831, a critical vulnerability in WinRAR (prior to version 6.23) that enables remote code execution (RCE) via specially crafted archive files. When exploited, the flaw allows attackers to execute arbitrary code on a victim’s system by tricking users into opening malicious archives disguised as legitimate documents.

Check Point’s analysis indicates that Amaranth-Dragon shares infrastructure and tactical overlaps with APT41, a well-documented Chinese advanced persistent threat (APT) group known for both state-sponsored espionage and financially motivated cybercrime. While the full scope of the campaign remains under investigation, initial findings suggest the use of:

• Custom malware payloads tailored for persistence and data exfiltration
• Spear-phishing emails as the primary delivery vector
• Living-off-the-land (LotL) techniques to evade detection

Impact and Strategic Implications

The targeting of government and law enforcement entities aligns with China’s historical cyber espionage objectives, particularly in regions of geopolitical interest. Southeast Asia has long been a hotspot for APT activity, with groups like APT41, Mustang Panda, and others frequently operating in the region.

Key risks posed by this campaign include:

• Theft of sensitive government and intelligence data
• Compromise of law enforcement communications and investigations
• Potential follow-on attacks leveraging stolen credentials or internal access

Recommendations for Defense

Security teams in high-risk sectors should prioritize the following mitigations:

1. Patch Management: Ensure WinRAR is updated to version 6.23 or later to mitigate CVE-2023-38831.
2. Email Security: Deploy advanced threat protection to detect and block spear-phishing attempts, particularly those containing archive attachments.
3. Endpoint Detection and Response (EDR): Monitor for unusual process execution (e.g., cmd.exe or powershell.exe spawned from WinRAR) and lateral movement.
4. User Awareness: Train employees to verify sender authenticity before opening archive files, even from seemingly trusted sources.
5. Network Segmentation: Limit access to sensitive systems to reduce the impact of potential breaches.

Check Point Research continues to track Amaranth-Dragon’s activities and will release further details as the investigation progresses. Organizations in targeted sectors are advised to remain vigilant and report any suspicious activity to relevant cybersecurity authorities.