Cybersecurity researchers uncovered a new Chinese-linked espionage group. Amaranth Dragon exploits a WinRAR vulnerability. They target government and law enforcement in Southeast Asia.
The New Threat Actor
Amaranth Dragon connects to the known APT41 operations. They show strong technical skill and careful planning. For example, they limit attacks to specific countries. Therefore, they avoid unnecessary exposure.
Researchers tracked the group since March 2025. They observed multiple focused campaigns. Each one targets one or two nations only. Strict geofencing keeps activity narrow and stealthy.
The WinRAR Vulnerability
The flaw is CVE-2025-8088 with a high severity rating. It lets attackers write files anywhere using Windows Alternate Data Streams. Many groups exploited it as a zero-day since mid-2025. They drop malware into the Startup folder for persistence.
Amaranth Dragon began using the flaw on August 18, 2025. This was just four days after a public exploit appeared. However, they quickly adapted their methods. In earlier attacks, they used ZIP files with LNK and BAT scripts.
Infection and Delivery Chain
Attackers send phishing emails with regional lures. These tie into local events or geopolitics. Victims open archives that exploit the WinRAR bug. The flaw places malicious scripts in Startup or Registry keys.
A signed executable launches next. It uses DLL side-loading to run the Amaranth Loader. This loader fetches AES-encrypted payloads from C2 servers. It decrypts them fully in memory. Often, the payload becomes the Havoc C2 framework.
Stealth and Targeting Tricks
C2 servers sit behind Cloudflare for protection. They accept traffic only from target countries. For instance, non-regional requests get blocked. This increases accuracy and reduces detection risk.
In recent attacks, attackers deployed TGAmaranth RAT. This custom tool uses Telegram bots for control. It uploads and downloads files. It takes screenshots and lists processes too.
Evasion Techniques
TGAmaranth RAT includes strong anti-analysis features. It replaces hooked system libraries with clean copies. It blocks debugging and EDR tools effectively. Therefore, it stays hidden longer on infected systems.
The group blends legitimate tools with custom code. They switch infrastructure fast when needed. Consequently, their operations remain resilient and hard to trace.
Many threat actors exploit the same WinRAR flaw. Groups like RomCom, APT44, and Turla use it actively. This shows the bug’s high value in espionage. Defenders face growing pressure to patch quickly.
Prevention Strategies
Organizations can stop these attacks with basic but strong steps. First, update WinRAR to version 7.13 or newer right away. This closes the exploited vulnerability completely. Moreover, use continuous monitoring to detect unusual Startup folder changes, DLL side-loading, and outbound connections to Cloudflare-hosted C2 servers early.
Enable strict execution controls for scripts and archives. Train staff to avoid suspicious regional-themed emails. These actions greatly reduce the risk of successful espionage intrusions.
Sleep well, we got you covered.
