- Amaranth Dragon, linked to APT41, joins groups exploiting WinRAR CVE-2025-8088
- Targets include organizations across Southeast Asia using custom loaders and Cloudflare masked servers
- Vulnerability exploited since mid-2025 by multiple state actors with malware hidden via alternative data streams
We can now add Amaranth Dragon to the list of Chinese state-sponsored actors exploiting the recently uncovered WinRAR vulnerability.
Security researchers Check Point have reported attacks coming from this group targeting organizations in Singapore, Thailand, Indonesia, Cambodia, Laos and the Philippines.
News broke recently that WinRAR, the iconic Windows archiving program, contained a high-severity vulnerability that allowed threat actors to execute arbitrary code on compromised endpoints. The bug was described as a path traversal bug affecting version 7.12 and earlier. It is tracked as CVE-2025-8088, with a severity rating of 8.4/10 (high).
When the vulnerability was first discovered, several security outfits warned that it was being exploited by numerous threat actors – both state-sponsored and otherwise. Now, new reports say that among them is Amaranth Dragon, a threat actor allegedly linked to APT41. This group uses a mix of legitimate tools and a custom loader that deploys encrypted payloads from a server hidden behind the Cloudflare infrastructure.
Earlier reports said that RomCom, a group aligned with the Russian government, exploited this flaw to deploy NESTPACKER against Ukrainian military units. Some researchers also mentioned APT44 and Turla, Carpathian and several Chinese actors who dropped the POISONIVY malware.
Google’s Threat Intelligence Group (GTIG), the cybersecurity arm that mostly tracks state-sponsored attackers, said the earliest signs of abuse were seen in mid-July 2025. Since then, hackers used the Alternate Data Streams (ADS) feature in WinRAR to write malware to arbitrary locations on target devices. Amaranth Dragon apparently began using this flaw in mid-August of last year, just days after the first working exploit was published.
“While the user typically sees a decoy document, such as a PDF, in the archive, there are also malicious ADS entries, some containing a hidden payload while others are dummy data,” Google said.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
