A new threat actor called Amaranth Dragon, linked to APT41 state-sponsored Chinese operations, exploited the CVE-2025-8088 vulnerability in WinRAR in espionage attacks on government and law enforcement agencies.
The hackers combined legitimate tools with the custom Amaranth Loader to deliver encrypted payloads from command-and-control (C2) servers behind Cloudflare infrastructure, for more accurate targeting and increased stealth.
According to researchers at cybersecurity company Check Point, Amaranth Dragon targeted organizations in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines.
The CVE-2025-8088 vulnerability can be exploited to write malicious files to arbitrary locations by leveraging the Alternate Data Streams (ADS) feature in Windows. Multiple threat actors exploited it in zero-day attacks since mid-2025 to achieve persistence by dropping malware in the Windows Startup folder.
Last week, a report from Google Threat Intelligence Group (GTIG) showed that CVE-2025-8088 was still actively exploited by multiple threat groups, including RomCom, APT44, Turla, and various China-linked bad actors.
Check Point reports that Amaranth Dragon started exploiting the WinRAR flaw on August 18, 2025, four days after the first working exploit became publicly available.
However, the researchers have been tracking the malicious actor's activity since March 2025 and identified multiple campaigns, each restricted to targeting one or two countries via strict geofencing.
Furthermore, the lures used in the attacks were themed around geopolitical or local events.
Amaranth Dragon targets and campaign dates
Source: Check Point
... continue reading