Cyber: China-linked Amaranth-dragon Exploits Winrar Flaw In Espionage...

Threat actors affiliated with China have been attributed to a fresh set of cyber espionage campaigns targeting government and law enforcement agencies across Southeast Asia throughout 2025.

Check Point Research is tracking the previously undocumented activity cluster under the moniker Amaranth-Dragon, which it said shares links to the APT 41 ecosystem. Targeted countries include Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines.

"Many of the campaigns were timed to coincide with sensitive local political developments, official government decisions, or regional security events," the cybersecurity company said in a report shared with The Hacker News. "By anchoring malicious activity in familiar, timely contexts, the attackers significantly increased the likelihood that targets would engage with the content."

The Israeli firm added that the attacks were "narrowly focused" and "tightly scoped," indicating efforts on the part of the threat actors to establish long-term persistence for geopolitical intelligence collection.

The most notable aspect of threat actors' tradecraft is the high degree of stealth, with the campaigns "highly controlled" and the attack infrastructure configured such that it can interact only with victims in specific target countries in an attempt to minimize exposure.

Attack chains mounted by the adversary have been found to abuse CVE-2025-8088, a now-patched security flaw impacting RARLAB WinRAR that allows for arbitrary code execution when specially crafted archives are opened by targets. The exploitation of the vulnerability was observed about eight days after its public disclosure in August.

""The group distributed a malicious RAR file that exploits the CVE-2025-8088 vulnerability, allowing the execution of arbitrary code and maintaining persistence on the compromised machine," Check Point researchers noted. "The speed and confidence with which this vulnerability was operationalized underscores the group's technical maturity and preparedness."

Although the exact initial access vector remains unknown at this stage, the highly targeted nature of the campaigns, coupled with the use of tailored lures related to political, economic, or military developments in the region, suggests the use of spear-phishing emails to distribute the archive files hosted on well-known cloud platforms like Dropbox to lower suspicion and bypass traditional perimeter defenses.

The archive contains several files, including a malicious DLL

Source: The Hacker News