- Amaranth Dragon, linked to APT41, joins groups exploiting WinRAR CVE-2025-8088
- Targets include organizations across Southeast Asia, using custom loaders and Cloudflare-masked servers
- Vulnerability abused since mid-2025 by multiple state actors, with malware hidden via Alternate Data Streams
We can now add Amaranth Dragon to the list of Chinese state-sponsored actors abusing the newly uncovered WinRAR vulnerability.
Security researchers Check Point has reported attacks coming from this group, targeting organizations in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines.
News recently broke that WinRAR, the iconic Windows archiving program, contained a high-severity vulnerability that allowed threat actors to execute arbitrary code on compromised endpoints. The bug was described as a path traversal flaw, affecting versions 7.12 and older. It is tracked as CVE-2025-8088, with a severity score of 8.4/10 (high).
RomCom, Carpathian, and others
When the vulnerability was first discovered, multiple security outfits warned that it was being abused by numerous threat actors - both state-sponsored, and otherwise. Now, new reports are saying that among them is Amaranth Dragon, a threat actor allegedly linked to APT41. This group is using a mix of legitimate tools and a custom loader, which deploys encrypted payloads from a server hidden behind Cloudflare infrastructure.
Earlier reports said that RomCom, a group aligned with the Russian government, abused this bug to deploy NESTPACKER against Ukrainian military units. Some researchers also mentioned APT44 and Turla, Carpathian, and multiple Chinese actors that were dropping the POISONIVY malware.
Google’s Threat Intelligence Group (GTIG), the cybersecurity arm that mostly tracks state-sponsored attackers, said the earliest signs of abuse were seen in mid-July 2025. Since then, hackers were using the Alternate Data Streams (ADS) feature in WinRAR to write malware to arbitrary locations on target devices. Amaranth Dragon apparently started using this bug in mid-August last year, mere days after the first working exploit was made public.
"While the user typically views a decoy document, such as a PDF, within the archive, there are also malicious ADS entries, some containing a hidden payload while others are dummy data," Google said.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
