In 2025, a previously undocumented cyber espionage activity cluster tracked by Research under the name Amaranth-Dragon emerged as a significant threat actor targeting government and law enforcement entities across Southeast Asia. The group has demonstrated a rapid ability to weaponize newly disclosed vulnerabilities — most notably CVE-2025-8088, a critical WinRAR flaw — to gain remote code execution and long-term persistence in victim networks.
Who is Amaranth-Dragon?
Amaranth-Dragon is believed to be linked with or part of the APT-41 ecosystem, a sophisticated threat actor historically associated with China-aligned cyber targeting. Analysis of file compilation timestamps, tool overlap, and campaign infrastructure supports this connection, with the group operating largely in China Standard Time (UTC +8).
The campaigns identified in 2025 were highly targeted and low-volume, focusing on countries including:
- Cambodia
- Thailand
- Laos
- Indonesia
- Singapore
- The Philippines
These operations were generally timed to coincide with local geopolitical events and official government decision cycles, increasing the chances that a recipient would engage with the malicious lure.
Technical Overview: CVE-2025-8088 and Exploitation Chain
Vulnerability Background
- Identifier: CVE-2025-8088
- Vulnerability Type: Path Traversal (CWE-35)
- Affected Software: WinRAR (Windows versions prior to 7.13)
- Impact: Arbitrary file write, leading to in-context code execution
- Disclosure Date: August 8, 2025
- Discovery: ESET researchers discovered the flaw; it was quickly included in CISA’s Known Exploited Vulnerabilities catalog.
The flaw allowed attackers to craft malicious RAR archives that could extract files outside the expected directory — for instance, into system startup locations — resulting in execution of arbitrary payloads once a user extracted the archive.
Rapid Weaponization
Despite the vulnerability’s disclosure early in August 2025, Amaranth-Dragon began exploiting it in their campaigns within ten days. They embedded crafted .rar archives in spearphishing emails or other lures, relying on user interaction (opening/extraction) to trigger the exploit, which then dropped malicious components to achieve persistence.
Attack Workflow and Tools
Delivery & Initial Access
- Initial Vector: Malicious RAR archive exploiting CVE-2025-8088
- User Interaction Required: Yes (prompted to extract/open the archive)
- Lure Themes: Meeting documents, official decisions, cooperation proposals linked to local events and government activities.
Exploit Mechanism
Once a victim opens the archive in an unpatched WinRAR installation:
- The path traversal exploit writes a malicious script or loader into the Windows Startup folder.
- On the next logon, that script executes, triggering the next stage of the attack.
Post-Exploitation Tooling
Amaranth-Dragon’s toolkit consists of several components:
- Amaranth Loader: A custom DLL-based loader that decrypts its payload via AES and executes it in memory, reducing forensic footprints.
- Havoc C2 Framework: A publicly available post-exploitation and command-and-control platform.
- TGAmaranth RAT: A Telegram-based remote access trojan with anti-AV and anti-EDR features, using a Telegram bot as its C2 channel.
Infrastructure & Evasion
- Command & Control Servers: Deployed behind Cloudflare with geo-restrictions that respond only to traffic from targeted regions, minimizing unintended exposure.
- Use of Legitimate Hosting: Malware payloads and encrypted data are delivered via Dropbox and other trusted services to evade detection.
- Stealth Techniques: AES encryption of payloads and deployment strategies focused on narrow targeting reduce noise and help evade broad network defenses.
Indicators of Compromise (IOCs)
Malicious RAR Archive Hashes (partial set):
259819d1ae6421c2871f2ba0d128089036a0b29b92b8fa4d3e7f42036fc297a3b
e34d7e8ba4bb949aa5c491b950ab30688d5dbadc
19abb00922f4fb3d4b28713bc866a033a11c1567
3a647d54f0866496d71c7b8e9f928759d535fd
44ac2785b0352113ed12b856ec4507fa0b897adf
53641ae0acb0fd986b30bdb1766086140abdc625
7ed0e7b80d4b5cdd10a6907755c607f37d7fe
a80c9e1b3116f882a5ac477a5ac477a5ac477a5
b0b95528f5ea4bfa433d7f7203ee6ca1894030fbHavoc C2 Artifact Hashes:
733714767a49c00c5c825c8e689da0c3bb23fbfa
9905c672b9c32f7a09fbebb7b54e9371f08af354
d751647a2c831b4e20aba2aab9de7feb9c6a9e7d
e2520eb81665015778d915bd0f749889a7fb1f5
e866edf14b208076ed83417d975705fa1a12dca73(Observed in Havoc agent payloads deployed via campaign infrastructure.)
Known C2 Server IPs / Domains:
92.223.120[.]10
92.223.124[.]45
92.223.76[.]20
92.38.170[.]6
93.123.17[.]151
dns.annasoft.gcdn[.]co
phnompenhpost[.]net
todaynewsfetch[.]com(These addresses served geo-restricted C2 functions and are linked to observed campaigns.)
Defensive Recommendations
For security teams defending government or critical infrastructure sectors, especially in Southeast Asia:
- Prioritize Patching: Ensure all affected WinRAR installations are updated to versions where CVE-2025-8088 is mitigated.
- Email Defense: Implement robust email filtering and user awareness training to reduce successful spearphishing clicks.
- Archive Monitoring: Scan incoming RAR archives for suspicious characteristics, hashes, and payload patterns.
- Network Controls: Block known C2 infrastructure where appropriate and employ geo-intelligence to flag unexpected connections.
- Threat Hunting: Use the provided IOCs in SIEM/EDR platforms to hunt for dormant or active intrusions.
Conclusion
The Amaranth-Dragon campaigns illustrate an evolving trend in cyber espionage: rapid exploitation of freshly disclosed software vulnerabilities combined with disciplined targeting and commercially grounded infrastructure evasion. The group’s adaptation of CVE-2025-8088 into its toolchain within days of disclosure underscores the urgency for organizations to reduce patch gaps, monitor archive handling, and integrate threat intelligence into operational defenses
