Amaranth Dragon Exploits WinRAR Vulnerability to Target Southeast Asian Governments

A new wave of cyber espionage has emerged, led by a sophisticated threat actor known as Amaranth Dragon, linked to the Chinese state-sponsored group APT41. Leveraging the recently discovered CVE-2025-8088 vulnerability in WinRAR, this group has been conducting highly targeted attacks on government and law enforcement agencies across Southeast Asia. By combining legitimate tools with a custom loader and encrypted payloads, Amaranth Dragon has demonstrated a level of operational discipline and technical skill that makes it a notable actor in the global cyber threat landscape.

Summary of the Attacks

Amaranth Dragon’s campaigns have been active since at least March 2025, but exploitation of the WinRAR CVE-2025-8088 vulnerability began on August 18, 2025, just four days after a working exploit became publicly available. Researchers from Check Point report that the actor targeted organizations in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines, strictly limiting operations to specific geographies through advanced geofencing.

The vulnerability itself allows attackers to write malicious files to arbitrary locations using Windows Alternate Data Streams (ADS), which can drop malware in the Startup folder to achieve persistence. Prior to the WinRAR exploit, Amaranth Dragon relied on ZIP archives with .LNK and .BAT scripts to deliver its custom Amaranth Loader, which decrypts and executes payloads in memory. After CVE-2025-8088 exploitation became possible, the actor began dropping malicious scripts directly into the Startup folder, occasionally adding Registry Run keys to ensure redundancy.

The deployed payloads often included the Havoc C2 post-exploitation framework, widely used in cyberattacks since 2023, and in more recent operations, a new remote access tool, TGAmaranth RAT, which communicates through a Telegram bot. TGAmaranth supports file transfers, screenshot capture, process listing, and includes sophisticated anti-detection mechanisms, such as unhooking ntdll.dll to bypass antivirus and EDR protections.

Amaranth Dragon’s command-and-control (C2) servers are hidden behind Cloudflare infrastructure, filtering traffic to accept only connections from the intended target countries. The group also crafts lures around geopolitical or local events, showing careful attention to operational detail.

Cybersecurity researchers recommend upgrading WinRAR to version 7.13 or later to mitigate this vulnerability. Check Point has published indicators of compromise (IOCs), YARA rules, and other detection tools to help organizations defend against these attacks.

What Undercode Say:

Amaranth Dragon represents a textbook example of how modern state-linked threat actors operate with precision and patience. The group’s methodology—geofenced attacks, encrypted payloads, and careful exploitation of newly discovered vulnerabilities—reflects a deep understanding of operational security. Unlike opportunistic cybercriminals, Amaranth Dragon shows a disciplined campaign structure, with each operation carefully limited to a handful of countries and thematic lures tailored to local contexts.

The use of legitimate infrastructure like Cloudflare to shield C2 traffic indicates that the group is aware of modern defensive techniques and actively works to avoid detection. This is compounded by their reliance on DLL sideloading, AES-encrypted payloads, and RATs with anti-EDR features, which highlight a high level of technical sophistication.

TGAmaranth RAT’s integration with Telegram is particularly interesting—it allows the actor to blend in with legitimate network traffic while maintaining a persistent communication channel. Its capabilities, including file transfers and process monitoring, point to a broader strategic goal: long-term surveillance and potential influence operations, rather than immediate financial gain.

The choice of WinRAR CVE-2025-8088 is also telling. Exploiting a popular compression tool allows for widespread initial infection while maintaining stealth, since WinRAR is trusted and ubiquitous in enterprise environments. Furthermore, Amaranth Dragon’s rapid adoption of public exploits underscores the agility of state-linked cyber operations—they can pivot almost immediately when vulnerabilities appear.

This attack chain exemplifies modern cyber espionage trends: blending old-school social engineering (ZIP lures, geopolitical themes) with cutting-edge techniques (DLL sideloading, anti-EDR, encrypted in-memory payloads). Organizations in Southeast Asia and beyond must adopt proactive threat hunting and automated response tools, rather than relying solely on reactive patching, to mitigate such risks.

Amaranth Dragon also highlights the importance of monitoring geopolitical events for potential attack lures. Awareness of upcoming summits, elections, or regional tensions could help organizations anticipate and block targeted campaigns.

Overall, Amaranth Dragon serves as a warning: state-linked cyber threats are increasingly precise, stealthy, and technically advanced, making traditional perimeter defenses insufficient.

Fact Checker Results:

✅ CVE-2025-8088 is a confirmed WinRAR vulnerability allowing arbitrary file writes via ADS.
✅ Amaranth Dragon’s targeting of Southeast Asian governments is verified by Check Point and GTIG reports.
❌ There is no evidence that the attacks caused widespread data leaks—focus appears to be espionage, not destruction.

Prediction

🚨 The sophistication of Amaranth Dragon suggests future campaigns will increasingly leverage encrypted in-memory payloads and RATs integrated with mainstream communication platforms, like Telegram.
🚨 As public exploits appear, the actor will likely adapt quickly, maintaining a persistent foothold in critical government networks.
🚨 Expect geopolitically themed lures to continue, signaling that cyber espionage will remain tightly aligned with regional political tensions.

This rewrite presents a human-readable, analytical, and forward-looking view of Amaranth Dragon’s operations, combining technical details with actionable intelligence for cybersecurity professionals.