Amaranth-Dragon Exploits WinRAR Flaw for Persistent

Highly targeted attacks are underway across Southeast Asia, attributed to the sophisticated cyber-espionage group known as Amaranth-Dragon. These operations specifically target government and law enforcement agencies.

Active throughout 2025, these campaigns have demonstrated a keen interest in geopolitical intelligence, often timing their operations to coincide with significant local political events.

The threat actors have focused their efforts on specific countries including Thailand, Singapore, and the Philippines, utilizing precise lures to infiltrate sensitive networks.

The group’s modus operandi involves the weaponization of a critical vulnerability in the widely used WinRAR compression software.

Designated as CVE-2025-8088, this path traversal flaw allows attackers to execute arbitrary code on victim systems by crafting malicious archive files.

By exploiting this weakness, the attackers can bypass traditional security measures and establish a foothold within sensitive government networks, effectively turning standard administrative tools into vectors for compromise that bypass standard security protocols.

Check Point analysts identified that this activity shares significant overlaps with the arsenal of APT-41, a group previously aligned with Chinese state interests.

Their analysis reveals that Amaranth-Dragon operates within the UTC+8 timezone and utilizes tools that bear a striking resemblance to those used by the notorious threat group.

This connection suggests a shared resource pool or a direct operational link between the two entities, indicating a well-resourced and coordinated effort behind these intrusions which poses a severe risk to regional stability.

The infection process typically begins with the delivery of these weaponized RAR archives, likely through spear-phishing emails designed to lure victims into opening the attachments.

Once the archive is processed, the vulnerability triggers a sequence that drops a malicious script directly into the system’s Startup folder.

This ensures that the malware is executed automatically whenever the victim reboots their machine, granting the attackers persistence without requiring administrator privileges.

Following the initial compromise, the attackers deploy a custom payload known as the Amaranth Loader.

This loader is responsible for retrieving encrypted payloads from command-and-control servers, which are often protected by legitimate services like Cloudflare to evade detection.

The ultimate goal is to deploy the Havoc Framework, an open-source post-exploitation tool that grants the attackers persistent remote control and the ability to exfiltrate sensitive data.

Technical Breakdown of the Infection Chain

The technical execution of this attack relies heavily on the precise manipulation of file paths within the RAR archive.

When a user attempts to extract the malicious file, the CVE-2025-8088 vulnerability fails to properly sanitize the destination path.

This failure allows the attackers to write files outside of the intended extraction folder.

As detailed in the analysis, the malware repeatedly attempts various path traversal sequences until it successfully locates the Startup directory.

Once the malicious batch or command file is planted, it lies dormant until the next system restart.

Upon reboot, the script executes and sideloads the Amaranth Loader via a legitimate executable, effectively masking the malicious activity from casual observation and allowing the threat actors to maintain long-term access.

To defend against these targeted threats, organizations must prioritize patching the WinRAR vulnerability immediately.

Security teams should also implement strict monitoring for archive files containing executable scripts and employ endpoint protection systems capable of detecting path traversal attempts and unauthorized startup items to prevent successful compromise.