Amaranth-Dragon Southeast Asia espionage campaign
Campaign
Summary
Hide ▲
Show ▼
The Amaranth-Dragon espionage campaign targeted government and law enforcement agencies across Southeast Asia throughout 2025, indicating a sustained effort to establish long-term persistence for geopolitical intelligence collection. The activity was narrowly scoped and tightly controlled to reduce exposure. Attack chains used country-specific lures and malicious archives to reach victims.
Cases
Related Happenings
Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles
Campaign
First: 21.04.2026 15:00
Last: 21.04.2026 15:00
Sources 1
About this happening:
**Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...
Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles
CampaignAbout this happening: **Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...
Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign
Campaign
First: 30.03.2026 10:00
Last: 30.03.2026 10:00
Sources 1
About this happening:
Three **China-aligned** clusters targeted a **government organization in Southeast Asia**, signaling a **coordinated campaign** built for long-term access. The activity spans **Mu...
Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign
CampaignAbout this happening: Three **China-aligned** clusters targeted a **government organization in Southeast Asia**, signaling a **coordinated campaign** built for long-term access. The activity spans **Mu...
Iran-linked proxy cyber-physical device scanning campaign
Campaign
First: 27.03.2026 16:42
Last: 27.03.2026 16:42
Sources 1
About this happening:
Iran-linked proxies are **widening scans** for **vulnerable cyber-physical devices**, increasing the risk of opportunistic access across **specific countries** and the **private s...
Iran-linked proxy cyber-physical device scanning campaign
CampaignAbout this happening: Iran-linked proxies are **widening scans** for **vulnerable cyber-physical devices**, increasing the risk of opportunistic access across **specific countries** and the **private s...
Iran's network of traffic cameras hit by cyberattack
Incident
First: 27.03.2026 16:42
Last: 27.03.2026 16:42
Sources 1
About this happening:
The **Iranian traffic-camera network** was reportedly **hijacked** and used to track **Ayatollah Ali Khamenei** before a deadly **air strike**, showing how connected surveillance...
Iran's network of traffic cameras hit by cyberattack
IncidentAbout this happening: The **Iranian traffic-camera network** was reportedly **hijacked** and used to track **Ayatollah Ali Khamenei** before a deadly **air strike**, showing how connected surveillance...
CL-UNK-1068 years-long espionage campaign targeting Asian organizations
Campaign
First: 09.03.2026 09:21
Last: 09.03.2026 09:21
Sources 1
About this happening:
A **Chinese threat actor** is linked to a **years-long espionage campaign** against **high-value organizations in South, Southeast, and East Asia**, creating persistent risk for c...
CL-UNK-1068 years-long espionage campaign targeting Asian organizations
CampaignAbout this happening: A **Chinese threat actor** is linked to a **years-long espionage campaign** against **high-value organizations in South, Southeast, and East Asia**, creating persistent risk for c...
Timeline
-
04.02.2026 16:09 2 articles · 3mo ago
Amaranth-Dragon disclosure links Southeast Asia espionage to APT 41
Initial DisclosureCheck Point Research described Amaranth-Dragon as a previously undocumented China-linked cluster targeting government and law enforcement agencies across Southeast Asia throughout 2025, with campaigns tied to the APT 41 ecosystem, abuse of CVE-2025-8088 in RARLAB WinRAR, country-restricted Cloudflare-backed command-and-control, and payload delivery that included Havoc and TGAmaranth RAT through malicious RAR, ZIP, LNK, BAT, and DLL side-loading chains.
Show sources
- China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns — thehackernews.com — 04.02.2026 16:09
- China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns — thehackernews.com — 04.02.2026 16:09