A threat actor, dubbed ‘Amaranth Dragon,’ has been linked to China-aligned, state-sponsored cyber-espionage activity exploiting a critical WinRAR vulnerability in attacks against government and law enforcement organizations across Southeast Asia.
According to researchers at cybersecurity firm Check Point, Amaranth Dragon is associated with operations historically attributed to APT41 and has leveraged CVE-2025-8088, a WinRAR flaw that allows attackers to write malicious files to arbitrary locations using Windows Alternate Data Streams (ADS). The vulnerability has been exploited as a zero-day since mid-2025 to establish persistence, often by dropping malware into the Windows Startup folder.
Check Point reports that Amaranth Dragon began exploiting CVE-2025-8088 on August 18, 2025, just days after a working exploit became public. However, the group’s activity dates back to at least March 2025, with multiple campaigns targeting organizations in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines. Each campaign used strict geofencing and lures themed around local or geopolitical events.
The attacks combined legitimate tools with a custom Amaranth Loader, delivered via encrypted payloads retrieved from command-and-control servers (C&C) hidden behind Cloudflare infrastructure. Earlier campaigns relied on ZIP archives containing malicious LNK and BAT files, while later operations abused the WinRAR flaw to plant scripts directly in Startup folders, sometimes with additional Registry Run keys for redundancy. Signed executables were then launched that sideloaded malicious DLLs and decrypted payloads in memory.
In many cases, the final payload was the Havoc C2 post-exploitation framework, widely abused by threat actors in recent years. More recent campaigns also deployed a new remote access tool called ‘TGAmaranth RAT,’ which uses Telegram bots for C&C and supports data exfiltration, surveillance, and process enumeration while incorporating multiple anti-debugging and EDR evasion techniques.
Last month, Google Mandiant reported that the WinRAR flaw was being widely exploited by multiple threat actors, ranging from Russian state-linked groups to Chinese espionage actors and financially motivated cybercriminals.