Amaranth-Dragon Southeast Asia espionage campaign
Campaign
Summary
Hide ▲
Show ▼
The Amaranth-Dragon espionage campaign targeted government and law enforcement agencies across Southeast Asia throughout 2025, indicating a sustained effort to establish long-term persistence for geopolitical intelligence collection. The activity was narrowly scoped and tightly controlled to reduce exposure. Attack chains used country-specific lures and malicious archives to reach victims.
Cases
Related Happenings
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware Activity
H score49
First: 02.06.2026 21:21
Last: 02.06.2026 21:21
Sources 1
About this happening:
**Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware ActivityAbout this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Latest development: 09.06.2026 15:26
Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.
Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles
Campaign
H score32
First: 21.04.2026 15:00
Last: 21.04.2026 15:00
Sources 1
About this happening:
**Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...
Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles
CampaignAbout this happening: **Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...
Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign
Campaign
H score32
First: 30.03.2026 10:00
Last: 30.03.2026 10:00
Sources 1
About this happening:
Three **China-aligned** clusters targeted a **government organization in Southeast Asia**, signaling a **coordinated campaign** built for long-term access. The activity spans **Mu...
Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign
CampaignAbout this happening: Three **China-aligned** clusters targeted a **government organization in Southeast Asia**, signaling a **coordinated campaign** built for long-term access. The activity spans **Mu...
Iran-linked proxy cyber-physical device scanning campaign
Campaign
H score35
First: 27.03.2026 16:42
Last: 27.03.2026 16:42
Sources 1
About this happening:
Iran-linked proxies are **widening scans** for **vulnerable cyber-physical devices**, increasing the risk of opportunistic access across **specific countries** and the **private s...
Iran-linked proxy cyber-physical device scanning campaign
CampaignAbout this happening: Iran-linked proxies are **widening scans** for **vulnerable cyber-physical devices**, increasing the risk of opportunistic access across **specific countries** and the **private s...
Iran's network of traffic cameras hit by cyberattack
Incident
H score23
First: 27.03.2026 16:42
Last: 27.03.2026 16:42
Sources 1
About this happening:
The **Iranian traffic-camera network** was reportedly **hijacked** and used to track **Ayatollah Ali Khamenei** before a deadly **air strike**, showing how connected surveillance...
Iran's network of traffic cameras hit by cyberattack
IncidentAbout this happening: The **Iranian traffic-camera network** was reportedly **hijacked** and used to track **Ayatollah Ali Khamenei** before a deadly **air strike**, showing how connected surveillance...
Timeline
-
04.02.2026 16:09 2 articles · 5mo ago
Amaranth-Dragon disclosure links Southeast Asia espionage to APT 41
Initial DisclosureCheck Point Research described Amaranth-Dragon as a previously undocumented China-linked cluster targeting government and law enforcement agencies across Southeast Asia throughout 2025, with campaigns tied to the APT 41 ecosystem, abuse of CVE-2025-8088 in RARLAB WinRAR, country-restricted Cloudflare-backed command-and-control, and payload delivery that included Havoc and TGAmaranth RAT through malicious RAR, ZIP, LNK, BAT, and DLL side-loading chains.
Show sources
- China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns — thehackernews.com — 04.02.2026 16:09
- China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns — thehackernews.com — 04.02.2026 16:09