China-Nexus Autumn Dragon APT Exploits WinRAR Flaw to Deploy Telegram C2 Backdoor

A newly published report from CyberArmor has uncovered a months-long espionage campaign targeting government and media organizations across Southeast Asia. The operation—codenamed “Autumn Dragon”—is attributed with medium confidence to a China-nexus threat actor leveraging an intricate, four-stage malware chain built on DLL sideloading, Telegram-based command-and-control (C2), and encrypted payload stagers in the cloud.

CyberArmor states that the activity has been active since early 2025, aligning with heightened geopolitical tension in the region.
According to the report, “we tracked for several months a sustained espionage campaign against the Government and Media / News sectors in countries surrounding the South China Sea.”

The attack begins with a malicious RAR file titled “Proposal_for_Cooperation_3415.05092025.rar”, delivered through spearphishing emails aimed at high-value individuals.

The archive exploits CVE-2025-8088, a path-traversal vulnerability in WinRAR. When extracted, the vulnerability is triggered automatically: “When extracting the RAR archive, CVE-2025-8088 will automatically be triggered to install a persistence script… using path traversal and an embedded Alternative Data Stream (ADS).”

This leads to the deployment of a malicious batch script disguised as a Windows Defender updater, which retrieves the next stage from Dropbox and establishes persistence through registry Run keys.

The downloaded package hides a modified libcef.dll, which is sideloaded by a legitimate OBS browser executable. This enables covert execution of an initial backdoor written in C++ and controlled via Telegram using the tgbot library.

CyberArmor highlights that the DLL “has been altered to execute malicious code via DLL sideloading” and communicates with a controller identified as “wang Wenbin”.

The backdoor supports only three commands—/shell, /screenshot, and /upload—a purposely minimalistic set designed to remain stealthy. The report notes that “minimizing functionality reduces the risk of exposing the actor’s intent and tradecraft.”

Captured operator activity shows extensive live reconnaissance: system profiling, process enumeration, and hands-on filesystem navigation.

Autumn Dragon’s operators use multiple sideloading chains across different campaigns. CyberArmor identifies three distinct loader sets abusing OperaGX, Microsoft Edge, and Adobe Creative Cloud.

Campaign 3—the focus of the analysis—abuses Creative Cloud Helper.exe to sideload a malicious CRClient.dll, which decrypts an embedded payload using XOR: “The actor doesn’t use complex encryption algorithms; they rely on a simple XOR encoding technique.” The decrypted file (Update.lib) contains shellcode responsible for loading the final stage.

The final stage is a lightweight but capable backdoor communicating over HTTPS with hardcoded C2 endpoints, including public.megadatacloud[.]com and 104.234.37[.]45.

The implant supports at least nine command identifiers, enabling remote command execution, DLL loading, shellcode execution, file operations, and even a kill-switch: “The backdoor provides basic functionality for the threat actor to control the victim’s machine… The network traffic is unlikely to be picked up by detection mechanisms, as the traffic is encrypted and the C2 domains may appear legitimate.”

CyberArmor notes that no stage-five payloads have been observed, suggesting the fourth stage may serve as the actor’s long-term access point.

The campaign focuses heavily on countries surrounding the South China Sea. Evidence from C2 telemetry and file distribution indicates active targeting of:

• Indonesia
• Singapore
• Philippines
• Cambodia
• Laos

CyberArmor observes that “the primary targeted sectors are Media and Government.”

Threat infrastructure also shows heavy use of Cloudflare-protected servers with geo-restrictions and user-agent filtering, returning fake “Daily Download” decoy websites when conditions aren’t met.

While CyberArmor refrains from firm attribution, the report acknowledges links to Chinese cyber-espionage activity: “We suspect with medium confidence the threat actor to be a China-nexus group… there is a slight overlap of initial delivery mechanisms as reported by other vendors.”

A potential but unconfirmed overlap with APT41 is noted.

Related Posts:

• WinRAR Update: Zero-Day Path Traversal Flaw (CVE-2025-8088) Actively Exploited to Deliver Malware
• Dragon RaaS: Pro-Russian Hacktivist Group Walks the Razor’s Edge Between Cybercrime and Propaganda
• Sharp Dragon APT Group Expands Cyber Espionage Operations to Africa and the Caribbean
• Warning: Fake WinRar Websites Distributing Malware
• Dragon Breath APT Deploys RoningLoader, Using Kernel Driver and PPL Abuse to Disable Windows Defender