Amaranth-Dragon Exploits WinRAR Vulnerability to Infiltrate Southeast Asian Government Networks
A sophisticated cyber-espionage group known as Amaranth-Dragon has been actively targeting government and law enforcement agencies across Southeast Asia throughout 2025. Their operations have been meticulously timed to coincide with significant political events, focusing on countries such as Thailand, Singapore, and the Philippines. The group’s primary objective appears to be the acquisition of geopolitical intelligence, leveraging advanced tactics to infiltrate sensitive networks.
Exploitation of WinRAR Vulnerability
Central to Amaranth-Dragon’s strategy is the exploitation of a critical vulnerability in the widely used WinRAR compression software. This flaw, identified as CVE-2025-8088, is a path traversal vulnerability that allows attackers to execute arbitrary code on victim systems through specially crafted archive files. By manipulating this weakness, the attackers can bypass standard security measures and establish a foothold within targeted networks.
Connection to APT-41
Analysts from Check Point have observed significant overlaps between Amaranth-Dragon’s activities and the tactics employed by APT-41, a group previously associated with Chinese state interests. Both groups operate within the UTC+8 timezone and utilize similar tools, suggesting a shared resource pool or a direct operational link. This connection indicates a well-resourced and coordinated effort behind these intrusions, posing a severe risk to regional stability.
Infection Process and Persistence Mechanism
The attack typically begins with the delivery of weaponized RAR archives, likely through spear-phishing emails designed to entice victims into opening the attachments. Upon extraction, the CVE-2025-8088 vulnerability is triggered, allowing the attackers to drop a malicious script directly into the system’s Startup folder. This ensures that the malware is executed automatically upon system reboot, granting the attackers persistence without requiring administrator privileges.
Deployment of Custom Payloads
Following the initial compromise, Amaranth-Dragon deploys a custom payload known as the Amaranth Loader. This loader retrieves encrypted payloads from command-and-control servers, often protected by legitimate services like Cloudflare to evade detection. The ultimate goal is to deploy the Havoc Framework, an open-source post-exploitation tool that provides the attackers with persistent remote control and the ability to exfiltrate sensitive data.
Technical Breakdown of the Attack Chain
The technical execution of this attack relies heavily on the precise manipulation of file paths within the RAR archive. When a user attempts to extract the malicious file, the CVE-2025-8088 vulnerability fails to properly sanitize the destination path. This failure allows the attackers to write files outside of the intended extraction folder, such as the Windows Startup folder, ensuring the malware’s persistence.
Mitigation Measures
To protect against such sophisticated attacks, it is crucial for organizations to implement comprehensive cybersecurity measures. These include regular software updates to patch known vulnerabilities, employee training to recognize and avoid phishing attempts, and the deployment of advanced threat detection systems. By staying vigilant and proactive, organizations can significantly reduce the risk of falling victim to such targeted cyber-espionage campaigns.
