ACCORDING to Check Point Research (CPR), a Chinese-aligned threat group known as Amaranth-Dragon rapidly weaponised a newly disclosed WinRAR flaw to spy on Southeast Asia, less than ten days after CVE-2025-8088 was disclosed. The campaign has targeted government and law enforcement entities in Thailand, Indonesia and Singapore, leveraging a path traversal vulnerability to turn a benign archive into a backdoor.
CVE-2025-8088 was disclosed on 8 August 2025, and by 18 August the group was already active in campaigns, enabling arbitrary code execution by opening a malicious RAR file. The attackers dropped a script into Startup for persistence, deployed the Amaranth loader to fetch encrypted payloads such as Havoc C2, and used a Telegram bot-based RAT, TGAmaranth, to exfiltrate PII and issue remote commands while blending traffic with legitimate messaging.
The operation is linked to the APT-41 nexus and illustrates a rapid weaponisation trend that exploits newly disclosed vulnerabilities to conduct targeted espionage in the region.