CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Southeast Asian Espionage Campaigns

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Amaranth-Dragon, a China-linked threat actor, has conducted targeted espionage campaigns against government and law enforcement agencies in Southeast Asia throughout 2025. The group exploited CVE-2025-8088, a WinRAR vulnerability, to deliver malicious payloads, including the Havoc C2 framework and TGAmaranth RAT. The campaigns were timed to coincide with sensitive political and security events, demonstrating a high degree of stealth and operational discipline. The group's tactics, tools, and procedures (TTPs) show strong links to APT41, suggesting a shared ecosystem or resource pool. The attackers leveraged the vulnerability within days of its disclosure in August 2025 and used the Havoc Framework as the Command and Control (C&C) platform.

Timeline

  1. 04.02.2026 16:09 2 articles · 1d ago

    Amaranth-Dragon Exploits WinRAR Flaw in Targeted Espionage Campaigns

    Throughout 2025, Amaranth-Dragon conducted targeted espionage campaigns against government and law enforcement agencies in Southeast Asia. The group exploited CVE-2025-8088, a WinRAR vulnerability, to deliver malicious payloads, including the Havoc C2 framework and TGAmaranth RAT. The campaigns were timed to coincide with sensitive political and security events, demonstrating a high degree of stealth and operational discipline. The group's tactics, tools, and procedures (TTPs) show strong links to APT41, suggesting a shared ecosystem or resource pool. The attackers leveraged the vulnerability within days of its disclosure in August 2025 and used the Havoc Framework as the Command and Control (C&C) platform.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Threat Actors Use Windows Screensavers to Deploy RMM Tools

Threat actors are exploiting Windows screensaver files (.scr) in spear-phishing campaigns to bypass security defenses and deploy remote monitoring and management (RMM) tools, granting them interactive remote control over compromised systems. The attack involves luring users into downloading and executing screensaver files hosted on cloud storage platforms, which then install legitimate RMM tools like JWrapper for persistent access. This technique allows attackers to maintain a foothold within the environment, facilitating data theft, lateral movement, and ransomware deployment. The campaign has been observed across multiple organizations, but the threat actors remain unidentified due to the use of consumer cloud storage and lack of consistent infrastructure.

Open in new tab

GPUGate Malware Campaign Targets IT Firms in Western Europe

A sophisticated malware campaign, codenamed GPUGate, targets IT and software development companies in Western Europe, with recent expansions to macOS users. The campaign leverages Google Ads, SEO poisoning, and fake GitHub commits to deliver malware, including the Atomic macOS Stealer (AMOS) and Odyssey. The attack began in December 2024 and uses a 128 MB Microsoft Software Installer (MSI) to evade detection. The malware employs GPU-gated decryption and various techniques to avoid analysis and detection. The end goal is information theft and delivery of secondary payloads. The threat actors have native Russian language proficiency and use a cross-platform approach. The campaign has expanded to target macOS users through fake Homebrew, LogMeIn, and TradingView platforms. These platforms impersonate popular tools and use SEO poisoning to distribute the Atomic Stealer malware and Odyssey. The threat actors use multiple GitHub usernames to evade takedowns and deploy malware via Terminal commands. Similar tactics have been observed in previous campaigns using malicious Google Ads and public GitHub repositories. The AMOS malware now includes a backdoor component for persistent, stealthy access to compromised systems. The campaign impersonates over 100 software solutions, including 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025. A new AMOS infostealer campaign abuses Google search ads to lure users into Grok and ChatGPT conversations that lead to installing the AMOS malware on macOS. The campaign was first spotted by researchers at Kaspersky, with a more detailed report by Huntress. The ClickFix attack begins with victims searching for macOS-related terms, leading to malicious instructions in AI chats. The malicious instructions are hosted on legitimate LLM platforms and contain commands to install the malware. The base64-encoded URL decodes into a bash script that loads a fake password prompt dialog. The script validates, stores, and uses the provided password to execute privileged commands, including downloading and executing the AMOS infostealer. AMOS was first documented in April 2023 and is a malware-as-a-service (MaaS) operation targeting macOS systems exclusively. AMOS added a backdoor module earlier this year, allowing operators to execute commands, log keystrokes, and drop additional payloads. AMOS is dropped as a hidden file and scans for cryptocurrency wallets, browser data, macOS Keychain data, and files on the filesystem. Persistence is achieved via a LaunchDaemon running a hidden AppleScript that restarts the malware if terminated. Users are advised to be vigilant and avoid executing commands they found online, especially if they don't fully understand what they do. Kaspersky noted that asking ChatGPT if the provided instructions are safe reveals they are not. Microsoft has warned that information-stealing attacks are rapidly expanding beyond Windows to target Apple macOS environments by leveraging cross-platform languages like Python and abusing trusted platforms for distribution at scale. The tech giant's Defender Security Research Team observed macOS-targeted infostealer campaigns using social engineering techniques such as ClickFix since late 2025 to distribute disk image (DMG) installers that deploy stealer malware families like Atomic macOS Stealer (AMOS), MacSync, and DigitStealer. The campaigns use techniques like fileless execution, native macOS utilities, and AppleScript automation to facilitate data theft, including web browser credentials and session data, iCloud Keychain, and developer secrets. The starting point of these attacks is often a malicious ad, often served through Google Ads, that redirects users searching for tools like DynamicLake and artificial intelligence (AI) tools to fake sites that employ ClickFix lures, tricking them into infecting their own machines with malware.

Open in new tab

PipeMagic Backdoor Used in Play Ransomware Attacks Exploiting Windows CLFS Vulnerability

The Play ransomware group, tracked as Storm-2460, is using the PipeMagic backdoor to exploit CVE-2025-29824, a critical Windows Common Log File System (CLFS) elevation-of-privilege vulnerability. This flaw allows attackers to gain system-level privileges on compromised systems. The campaign targets various sectors across multiple geographies, including IT, financial, and real estate in the US, Europe, South America, and the Middle East. The backdoor mimics ChatGPT Desktop to evade detection and maintain persistence within infected systems. The vulnerability was patched in April, but unpatched systems remain at risk. Microsoft and Kaspersky have observed ongoing activity, with PipeMagic showing sustained interest in Saudi Arabian and Brazilian manufacturing sectors. The backdoor's modular design allows for updates and lateral movement within targeted networks. PipeMagic was first documented in 2022 as part of RansomExx ransomware attacks targeting industrial companies in Southeast Asia. In 2024, threat actors exploited CVE-2017-0144, a remote code execution flaw in Windows SMB, to infiltrate victim infrastructure. Earlier this April, Microsoft attributed the exploitation of CVE-2025-29824 and the deployment of PipeMagic to Storm-2460.

Open in new tab

EncryptHub Exploits MSC EvilTwin Vulnerability to Deploy Fickle Stealer Malware

The Russian threat actor EncryptHub is exploiting the MSC EvilTwin vulnerability (CVE-2025-26633) to deliver the Fickle Stealer malware. This campaign combines social engineering with technical exploitation to bypass security defenses. The group uses fake IT department requests and rogue Microsoft Console (MSC) files to trigger the infection routine. The malware collects system information, establishes persistence, and communicates with the EncryptHub command-and-control (C2) server. The threat actor has been active since mid-2024 and is known for using various methods, including fake job offers and compromised Steam games, to infect targets. The latest attack sequence involves using PowerShell commands and a Go-based loader called SilentCrystal to deploy the malware. The group also abuses the Brave Support platform to host next-stage malware and uses phony videoconferencing platforms to deceive victims into downloading malicious installers.

Open in new tab

Path Traversal Vulnerability in WinRAR Actively Exploited by Multiple Threat Actors

A path traversal vulnerability in WinRAR (CVE-2025-8088, CVSS 8.8) is being actively exploited in the wild. The flaw allows arbitrary code execution by crafting malicious archive files. The vulnerability affects Windows versions of WinRAR, RAR, UnRAR, portable UnRAR source code, and UnRAR.dll. The issue was discovered by researchers from ESET and addressed in WinRAR version 7.13, released on July 30, 2025. Multiple threat actors, including Paper Werewolf, RomCom, UNC4895, APT44, TEMP.Armageddon, Turla, and China-linked actors, have exploited this vulnerability to target various organizations. A new threat actor called Amaranth Dragon, linked to APT41 state-sponsored Chinese operations, has also exploited the CVE-2025-8088 vulnerability in espionage attacks on government and law enforcement agencies in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines. The attacks involve phishing emails with malicious archives that, when opened, exploit the vulnerability to write files outside the intended directory and achieve code execution. The payloads include a .NET loader that sends system information to an external server and receives additional malware. Financially motivated actors are also exploiting the flaw to distribute commodity remote access tools and information stealers. Google Threat Intelligence Group (GTIG) revealed that multiple threat actors, including nation-state adversaries and financially motivated groups, are exploiting the WinRAR vulnerability CVE-2025-8088. The exploit chain often involves concealing the malicious file within the alternate data streams (ADS) of a decoy file inside the archive, causing the payload to be extracted to a specific path (e.g., the Windows Startup folder) and automatically executing it once the user logs in to the machine after a restart.

Open in new tab