Find notable cyber news and cases, enriched with sources, timelines, and signals.

Amaranth-Dragon Southeast Asia espionage campaign

Campaign
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

The Amaranth-Dragon espionage campaign targeted government and law enforcement agencies across Southeast Asia throughout 2025, indicating a sustained effort to establish long-term persistence for geopolitical intelligence collection. The activity was narrowly scoped and tightly controlled to reduce exposure. Attack chains used country-specific lures and malicious archives to reach victims.

Cases

Related Happenings

Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel

Malware Activity
H score49 First: 02.06.2026 21:21 Last: 02.06.2026 21:21 Sources 1

About this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....

Latest development: 09.06.2026 15:26

Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.

Mustang Panda spear-phishing campaign targeting Indian banks and US-Korea policy circles

Campaign
H score32 First: 21.04.2026 15:00 Last: 21.04.2026 15:00 Sources 1

About this happening: **Mustang Panda** launched a newly identified **spear-phishing campaign** that is aimed largely at **financial organizations in India** and also reaches **US-Korea public policy c...

Mustang Panda, CL-STA-1048, and CL-STA-1049 Southeast Asia government campaign

Campaign
H score32 First: 30.03.2026 10:00 Last: 30.03.2026 10:00 Sources 1

About this happening: Three **China-aligned** clusters targeted a **government organization in Southeast Asia**, signaling a **coordinated campaign** built for long-term access. The activity spans **Mu...

Iran-linked proxy cyber-physical device scanning campaign

Campaign
H score35 First: 27.03.2026 16:42 Last: 27.03.2026 16:42 Sources 1

About this happening: Iran-linked proxies are **widening scans** for **vulnerable cyber-physical devices**, increasing the risk of opportunistic access across **specific countries** and the **private s...

Iran's network of traffic cameras hit by cyberattack

Incident
H score23 First: 27.03.2026 16:42 Last: 27.03.2026 16:42 Sources 1

About this happening: The **Iranian traffic-camera network** was reportedly **hijacked** and used to track **Ayatollah Ali Khamenei** before a deadly **air strike**, showing how connected surveillance...

Timeline

  1. 04.02.2026 16:09 2 articles · 5mo ago

    Amaranth-Dragon disclosure links Southeast Asia espionage to APT 41

    Initial Disclosure

    Check Point Research described Amaranth-Dragon as a previously undocumented China-linked cluster targeting government and law enforcement agencies across Southeast Asia throughout 2025, with campaigns tied to the APT 41 ecosystem, abuse of CVE-2025-8088 in RARLAB WinRAR, country-restricted Cloudflare-backed command-and-control, and payload delivery that included Havoc and TGAmaranth RAT through malicious RAR, ZIP, LNK, BAT, and DLL side-loading chains.

    Show sources