Cybersecurity

Cyber: New Amaranth Dragon Cyberespionage Group Exploits Winrar Flaw

2026-02-04 0 views admin
Cyber: New Amaranth Dragon Cyberespionage Group Exploits Winrar Flaw

A new threat actor called Amaranth Dragon, linked to APT41 state-sponsored Chinese operations, exploited the CVE-2025-8088 vulnerability in WinRAR in espionage attacks on government and law enforcement agencies.

The hackers combined legitimate tools with the custom Amaranth Loader to deliver encrypted payloads from command-and-control (C2) servers behind Cloudflare infrastructure, for more accurate targeting and increased stealth.

According to researchers at cybersecurity company Check Point, Amaranth Dragon targeted organizations in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines.

The CVE-2025-8088 vulnerability can be exploited to write malicious files to arbitrary locations by leveraging the Alternate Data Streams (ADS) feature in Windows. Multiple threat actors exploited it in zero-day attacks since mid-2025 to achieve persistence by dropping malware in the Windows Startup folder.

Last week, a report from Google Threat Intelligence Group (GTIG) showed that CVE-2025-8088 was still actively exploited by multiple threat groups, including RomCom, APT44, Turla, and various China-linked bad actors.

Check Point reports that Amaranth Dragon started exploiting the WinRAR flaw on August 18, 2025, four days after the first working exploit became publicly available.

However, the researchers have been tracking the malicious actor's activity since March 2025 and identified multiple campaigns, each restricted to targeting one or two countries via strict geofencing.

Furthermore, the lures used in the attacks were themed around geopolitical or local events.

In attacks before August 2025, Amaranth Dragon's attacks relied on ZIP archives with .LNK and .BAT files that included the scripts to decrypt and run the group's loader.

When exploits for CVE-2025-8088 became available, the threat actor leveraged the vulnerability to place a malicious script in the Startup folder. In some cases, a Registry Run key was also created for redundancy.

Source: BleepingComputer

🏷️ Tags

cybersecuritysecurityhackvulnerabilitycve

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views