Amaranth-Dragon public-sector espionage in Southeast Asia

Amaranth-Dragon ran tightly scoped espionage operations against government and law enforcement targets across Southeast Asia throughout 2025. The activity used malicious archives, country-specific lures, and infrastructure that only accepted connections from intended countries to limit exposure. In one intrusion chain, attackers abused **CVE-2025-8088** in **WinRAR**, used DLL side-loading to launch Amaranth Loader, and then deployed **Havoc** or the Telegram-based **TGAmaranth RAT**. Earlier and later variants used ZIP or password-protected RAR files, LNK and BAT components, cloud-hosted delivery, and tools such as **PowerShell** and **tar.exe**. The available evidence points to long-term persistence and covert intelligence collection rather than broad intrusion. CISA added **CVE-2025-8088** to the Known Exploited Vulnerabilities catalog on 2025-08-12 with a 2025-09-02 due date, so defenders need to verify **WinRAR** exposure, block malicious archive delivery, and look for side-loading and country-restricted command-and-control behavior.