China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Southeast Asian Espionage Campaigns
Summary
Hide ▲
Show ▼
Amaranth-Dragon, a China-linked threat actor, has conducted targeted espionage campaigns against government and law enforcement agencies in Southeast Asia throughout 2025. The group exploited CVE-2025-8088, a WinRAR vulnerability, to deliver malicious payloads, including the Havoc C2 framework and TGAmaranth RAT. The campaigns were timed to coincide with sensitive political and security events, demonstrating a high degree of stealth and operational discipline. The group's tactics, tools, and procedures (TTPs) show strong links to APT41, suggesting a shared ecosystem or resource pool.
Timeline
-
04.02.2026 16:09 1 articles · 8h ago
Amaranth-Dragon Exploits WinRAR Flaw in Targeted Espionage Campaigns
Throughout 2025, Amaranth-Dragon conducted targeted espionage campaigns against government and law enforcement agencies in Southeast Asia. The group exploited CVE-2025-8088, a WinRAR vulnerability, to deliver malicious payloads, including the Havoc C2 framework and TGAmaranth RAT. The campaigns were timed to coincide with sensitive political and security events, demonstrating a high degree of stealth and operational discipline. The group's tactics, tools, and procedures (TTPs) show strong links to APT41, suggesting a shared ecosystem or resource pool.
Show sources
- China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns — thehackernews.com — 04.02.2026 16:09
Information Snippets
-
Amaranth-Dragon targeted government and law enforcement agencies in Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines.
First reported: 04.02.2026 16:091 source, 1 articleShow sources
- China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns — thehackernews.com — 04.02.2026 16:09
-
The group exploited CVE-2025-8088, a WinRAR vulnerability, to execute arbitrary code and maintain persistence.
First reported: 04.02.2026 16:091 source, 1 articleShow sources
- China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns — thehackernews.com — 04.02.2026 16:09
-
The campaigns used tailored lures related to political, economic, or military developments in the region.
First reported: 04.02.2026 16:091 source, 1 articleShow sources
- China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns — thehackernews.com — 04.02.2026 16:09
-
The Amaranth Loader shares similarities with tools used by APT41, such as DodgeBox, DUSTPAN, and DUSTTRAP.
First reported: 04.02.2026 16:091 source, 1 articleShow sources
- China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns — thehackernews.com — 04.02.2026 16:09
-
The final payload deployed in some campaigns was the open-source command-and-control (C2) framework Havoc.
First reported: 04.02.2026 16:091 source, 1 articleShow sources
- China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns — thehackernews.com — 04.02.2026 16:09
-
The group used password-protected RAR archives and Telegram bots for command-and-control (C2) in some campaigns.
First reported: 04.02.2026 16:091 source, 1 articleShow sources
- China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns — thehackernews.com — 04.02.2026 16:09
-
The group's infrastructure is secured by Cloudflare and configured to accept traffic only from specific target countries.
First reported: 04.02.2026 16:091 source, 1 articleShow sources
- China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns — thehackernews.com — 04.02.2026 16:09
-
Amaranth-Dragon's links to APT41 stem from overlaps in malware arsenal and operational practices.
First reported: 04.02.2026 16:091 source, 1 articleShow sources
- China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns — thehackernews.com — 04.02.2026 16:09