Amaranth Dragon, a China-linked cyberespionage group, exploited the CVE-2025-8088 WinRAR flaw to target government and law enforcement agencies in six Southeast Asian countries, with exploit use beginning on August 18, 2025.
KEY FACTS
- Incident Exploitation of CVE-2025-8088 in WinRAR
- Targets Government and law enforcement in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines
- Timeline Activity tracked since March 2025, exploit use from August 18, 2025
- Tools Amaranth Loader, Havoc C2, and TGAmaranth RAT that uses a Telegram bot
- Mitigation Update WinRAR to fixed versions
A technical analysis by Check Point reports that Amaranth Dragon began using the WinRAR flaw on August 18, 2025 after a public exploit appeared, and that the group had been active since March 2025.
The actors exploited the vulnerability to write files via Windows Alternate Data Streams and placed malicious scripts in the Startup folder, and in some cases created a Registry Run key for redundancy.
The attacks launch a digitally signed executable that performs DLL sideloading to run the Amaranth Loader. The loader retrieves an AES encrypted payload and decrypts it in memory, often delivering the Havoc post exploitation framework.
The actor used command servers behind Cloudflare that accepted traffic only from targeted regions to filter out non relevant traffic. Recent campaigns deployed a TGAmaranth RAT that uses a Telegram bot for command and control, supports file transfer and screenshots, and includes protections such as replacing a hooked ntdll.dll with an unhooked copy.
WHY IT MATTERS
The wide exploitation of a WinRAR path traversal flaw and the use of geofenced command infrastructure show how targeted espionage can combine public exploits with custom tooling. Organizations in affected regions should apply fixes and use the indicators and YARA rules in the report to detect intrusions.