CHINA-LINKED Amaranth-Dragon has been observed exploiting the CVE-2025-8088 flaw in WinRAR to deliver tailored malware in targeted espionage campaigns against government and law enforcement agencies across Southeast Asia, with activity noted in 2025 and eight days after the vulnerability’s public disclosure.
According to Check Point Research, the group distributes a malicious RAR containing an Amaranth Loader that uses DLL side-loading to decrypt and execute payloads, and the final payload frequently deploys Havoc, an open‑source C2 framework. Targeted countries include Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines, with lures tied to political, economic or military developments and potential spear-phishing emails directing victims to archive files hosted on Dropbox.
The researchers describe the campaigns as narrowly focused, stealthy and highly propagating, designed to maintain long-term persistence for geopolitical intelligence collection, while the C2 infrastructure is configured to accept traffic from specific countries to limit exposure. Amaranth-Dragon’s links to APT41 are suggested by overlaps in malware arsenal and development style, with a conclusion that the group is closely linked to or part of the APT41 ecosystem.