China-Linked Amaranth-Dragon Exploits WinRAR Vulnerability in Targeted Espionage Campaigns
In 2025, a sophisticated cyber espionage campaign orchestrated by a China-affiliated group, dubbed Amaranth-Dragon, targeted government and law enforcement agencies across Southeast Asia. This group, identified by Check Point Research, shares operational similarities with the known APT41 ecosystem. The affected nations include Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines.
The timing of these cyberattacks was strategically aligned with significant political events, governmental decisions, and regional security developments. By embedding their malicious activities within these contexts, the attackers increased the likelihood of their targets engaging with the compromised content. The campaigns were meticulously crafted, indicating a deliberate effort to establish long-term access for intelligence gathering.
A hallmark of Amaranth-Dragon’s operations is their emphasis on stealth. The attack infrastructure was configured to interact exclusively with victims from specific countries, minimizing the risk of detection. Central to their strategy was the exploitation of CVE-2025-8088, a critical vulnerability in RARLAB’s WinRAR software. This flaw, disclosed in August 2025, allows attackers to execute arbitrary code when a specially crafted archive is opened. Remarkably, Amaranth-Dragon began exploiting this vulnerability merely eight days after its public disclosure, underscoring their technical proficiency and readiness.
While the exact method of initial access remains uncertain, the targeted nature of the attacks and the use of lures related to regional political, economic, or military events suggest the deployment of spear-phishing emails. These emails likely contained malicious archive files hosted on reputable cloud platforms like Dropbox, thereby evading traditional security measures.
The malicious archives typically included several components:
– Amaranth Loader: A DLL file executed through DLL side-loading, a technique favored by Chinese threat actors.
– Encrypted Payload: Once the loader is activated, it contacts an external server to retrieve an encryption key. This key decrypts the payload, which is then executed directly in memory.
– Havoc Framework: The final payload is an open-source command-and-control framework known as Havoc, facilitating remote control over the compromised system.
Earlier campaigns in March 2025 utilized ZIP files containing Windows shortcuts (LNK) and batch (BAT) files to deploy the Amaranth Loader via DLL side-loading. A similar approach was observed in October 2025, with lures related to the Philippines Coast Guard.
In a September 2025 campaign targeting Indonesia, Amaranth-Dragon distributed a password-protected RAR archive via Dropbox. This archive delivered a fully functional remote access trojan (RAT) named TGAmaranth RAT, which uses a hard-coded Telegram bot for command-and-control operations. The RAT incorporates anti-debugging and anti-antivirus techniques to evade detection and supports commands such as:
– /start: Sends a list of running processes from the infected machine.
– /screenshot: Captures and uploads a screenshot.
– /shell: Executes specified commands on the infected machine and exfiltrates the output.
– /download: Downloads specified files from the infected machine.
– /upload: Uploads files to the infected machine.
The command-and-control infrastructure is fortified using Cloudflare and is configured to accept traffic solely from IP addresses within the targeted countries, enhancing operational security. This approach exemplifies how advanced threat actors leverage legitimate infrastructure to conduct targeted attacks while maintaining a low profile.
Connections between Amaranth-Dragon and APT41 are evident through overlaps in their malware arsenals and operational tactics. Chinese threat actors are known for sharing tools, techniques, and infrastructure, suggesting a possible collaboration or shared resources between these groups. Compilation timestamps, campaign timing, and infrastructure management all point to a disciplined, well-resourced team operating within the China Standard Time zone.
In a related development, another Chinese nation-state group known as Mustang Panda has been implicated in a campaign targeting officials involved in diplomacy, elections, and international coordination across multiple regions between December 2025 and mid-January 2026. Dubbed PlugX Diplomacy, this operation relied on impersonation and trust rather than exploiting software vulnerabilities. Victims were enticed into opening files that appeared to be U.S.-linked diplomatic summaries or policy documents. Opening these files triggered the deployment of a customized variant of PlugX malware, known as DOPLUGS, which has been active since at least late December 2022.
The attack chains in this campaign were consistent, with malicious ZIP attachments centered around official meetings, elections, and international forums. These attachments contained LNK files that, when launched, executed PowerShell commands to extract and deploy the PlugX payload. The use of living-off-the-land binaries (LOLBins) throughout the infection chain highlights the attackers’ sophistication.
The TAR archive used in the attack contained three files:
– RemoveBackupper.exe: A legitimate signed executable associated with AOMEI Backupper, vulnerable to DLL search-order hijacking.
– backupper.dat: An encrypted file containing the PlugX payload.
– comn.dll: A malicious DLL sideloaded using the executable to load PlugX.
Executing the legitimate executable displayed a decoy PDF document to the user, creating the illusion of normalcy while DOPLUGS was installed in the background.
The correlation between actual diplomatic events and the timing of detected lures suggests that similar campaigns are likely to persist as geopolitical developments unfold. Entities operating in diplomatic, governmental, and policy-oriented sectors should regard malicious LNK distribution methods and DLL search-order hijacking via legitimate executables as persistent, high-priority threats.
