Ddos 
A new and relentless cyber-espionage campaign is sweeping across government and law enforcement agencies in Southeast Asia, driven by a threat group that wastes no time in weaponizing freshly disclosed vulnerabilities. In a new report, Check Point Research (CPR) details the activities of “Amaranth-Dragon,” a Chinese-aligned group that has integrated a critical WinRAR vulnerability into its arsenal less than ten days after its public disclosure.
The group, believed to be a nexus of the notorious APT-41, has been relentlessly targeting nations such as Thailand, Indonesia, and Singapore throughout 2025. Their latest tool of choice? A path traversal flaw in WinRAR that turns a simple archive file into a backdoor.
The vulnerability, CVE-2025-8088, was disclosed on August 8, 2025. By August 18, the group was already using it in active campaigns.
“Less than ten days after the WinRAR vulnerability (CVE-2025-8088) was disclosed, Amaranth-Dragon introduced malicious RAR archives into their campaigns,” the report states.
This rapid turnaround allowed the attackers to exploit the window of exposure before organizations could patch their systems. The vulnerability allows for “arbitrary code execution by crafting malicious archive files,” meaning a victim only needs to open a seemingly harmless RAR file to be compromised.
The campaigns have been highly targeted, focusing on high-profile government entities.
- Cambodia: One campaign targeted the Cambodia National Police and the Ministry of Foreign Affairs with filenames like CNP_MFA_Meeting_Documents.zip.
- Indonesia: Another operation used a lure document titled SK_GajiPNS_Kemenko_20250818.rar, posing as an official salary decree for civil servants in coordinating ministries.
These lures are not generic; they are crafted to align with “significant local geopolitical events, increasing the likelihood of successful compromise”.
While the group initially relied on standard script files to deliver their payloads, the adoption of CVE-2025-8088 marked a shift in sophistication. The exploit allowed them to “drop a script file (CMD or BAT) into the Startup folder and achieve code execution upon reboot,” ensuring persistence without requiring complex user interaction beyond opening the file.
Once inside, the attackers deployed the Amaranth loader, a custom tool designed to fetch encrypted payloads, primarily the open-source Havoc C2 Framework. To stay under the radar, their command-and-control servers were “configured to respond only to IP addresses from targeted countries, minimizing collateral infections and increasing campaign stealth”.
In a notable evolution of their toolkit, the group was also observed deploying a fully functional Remote Access Trojan (RAT) that leveraged a Telegram bot for command and control. This “TGAmaranth RAT” allowed them to retrieve “PII (Personal Identifiable Information) and execute remote commands,” bypassing traditional network defenses by blending in with legitimate messaging traffic.
“The campaigns by Amaranth-Dragon exploiting the CVE-2025-8088 vulnerability highlight the recent trend of sophisticated threat actors rapidly weaponizing newly disclosed vulnerabilities,” the report concludes.
Related Posts:
- APT29’s Espionage Campaign Exploits WinRAR Flaw, Targets Embassies
- WinRAR Update: Zero-Day Path Traversal Flaw (CVE-2025-8088) Actively Exploited to Deliver Malware
- The “Zeroplayer” Arsenal: WinRAR Flaw CVE-2025-8088 Weaponized by Spies
- Extreme Stealth: Python Malware Hides Inside PNG-Disguised RAR, Injects Payload into cvtres.exe
Donate