- Amaranth Dragon, linked to APT41, joins groups exploiting WinRAR CVE-2025-8088
- Targets include organizations across Southeast Asia, using custom loaders and Cloudflare masquerading servers.
- Vulnerability abused since mid-2025 by multiple state actors, with malware hidden through alternative data streams
We can now add Amaranth Dragon to the list of Chinese state-sponsored actors abusing the recently discovered WinRAR vulnerability.
Security researchers Check Point have reported attacks coming from this group, targeting organizations in Singapore, Thailand, Indonesia, Cambodia, Laos and the Philippines.
It was recently revealed that WinRAR, the iconic Windows archiving program, contained a high severity vulnerability that allowed threat actors to execute arbitrary code on compromised endpoints. The bug was described as a path traversal bug that affects versions 7.12 and earlier. It is tracked as CVE-2025-8088, with a severity score of 8.4/10 (high).
When the vulnerability was first discovered, several security teams warned that it was being abused by numerous threat actors, both state-sponsored and otherwise. Now, new reports say that among them is Amaranth Dragon, a threat actor allegedly linked to APT41. This group uses a combination of legitimate tools and a custom loader, which deploys encrypted payloads from a server hidden behind Cloudflare infrastructure.
Previous reports said that RomCom, a group aligned with the Russian government, abused this error to deploy NESTPACKER against Ukrainian military units. Some researchers also mentioned APT44 and Turla, Carpathian, and several Chinese actors who were releasing the POISONIVY malware.
Google’s Threat Intelligence Group (GTIG), the cybersecurity arm that primarily tracks state-sponsored attackers, said the first signs of abuse were observed in mid-July 2025. Since then, hackers were using the Alternate Data Streams (ADS) feature in WinRAR to write malware to arbitrary locations on target devices. Amaranth Dragon apparently began using this bug in mid-August last year, just days after the first working exploit was made public.
“While the user typically sees a decoy document, such as a PDF, within the file, there are also malicious ADS entries, some containing a hidden payload while others are dummy data,” Google said.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
