Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in the Southeast Asia

Amaranth-Dragon (a nexus linked to APT-41) ran highly targeted 2025 espionage campaigns across Southeast Asia using weaponized archives that exploited WinRAR CVE-2025-8088, custom Amaranth Loader, Havoc C2, and a new Telegram-based TGAmaranth RAT. The campaigns used geo-restricted Cloudflare-protected C2s, legitimate hosting (Dropbox, Pastebin), DLL sideloading, and payload encryption to maximize stealth and persistence. #Amaranth-Dragon #TGAmaranth

Keypoints

Amaranth-Dragon targeted government and law enforcement organizations across Southeast Asia (Cambodia, Thailand, Laos, Indonesia, Singapore, Philippines) with campaigns timed to local geopolitical events.
The group exploited WinRAR path traversal CVE-2025-8088 via malicious RAR archives to drop scripts into Startup folders, enabling code execution and persistence soon after public disclosure.
Delivery leveraged legitimate services (Dropbox, Pastebin, group-controlled web servers) and password-protected archives to bypass scanning; Amaranth Loader retrieved AES keys and decrypted Havoc payloads in-memory.
Command-and-control infrastructure used Cloudflare protection and geofencing (HTTP 403 for non-target countries) to restrict payload delivery to intended victims and minimize collateral infections.
A new Telegram-based RAT (TGAmaranth) was observed, using an encrypted Telegram bot token for C2 and implementing anti-EDR/anti-AV techniques including ntdll unhooking via a suspended child process.
Technical overlaps with APT-41 were identified (tooling, DLL sideloading patterns, compilation timestamps, development artifacts), and operational timezone analysis indicates UTC+8 activity.

MITRE Techniques

[T1566.001 ] Spearphishing Attachment – Targeted emails delivering weaponized archive attachments (RAR) to victims. (‘Targeted emails with malicious RAR archives exploiting CVE-2025-8088.’)
[T1204.002 ] User Execution: Malicious File – Victims are socially engineered to open weaponized archive files that trigger execution. (‘Victims are lured to open weaponized archive files, triggering code execution.’)
[T1203 ] Exploitation for Client Execution – Exploitation of WinRAR path traversal (CVE-2025-8088) to execute arbitrary code and drop persistence scripts. (‘Exploitation of WinRAR vulnerability (CVE-2025-8088) to execute arbitrary code.’)
[T1547.001 ] Boot or Logon Autostart Execution / Registry Run Keys – Persistence via dropped Startup-folder scripts and Run registry keys created to launch sideloaded loaders. (‘Malicious scripts or payloads dropped into the Startup folder for persistence.’ / ‘Persistence via registry key modification (Run key).’)
[T1053 ] Scheduled Task/Job – Use of scheduled tasks or job creation observed as a persistence mechanism in some samples. (‘Creating scheduled tasks for persistence.’)
[T1218 ] Signed Binary Proxy Execution – DLL sideloading using legitimate signed executables to invoke the Amaranth loader. (‘Sideloading Amaranth loader via legitimate executables.’)
[T1027 ] Obfuscated Files or Information – Encrypted payloads (AES), password-protected archives, and custom string/encryption routines to obscure payloads and C2 data. (‘Encrypted payloads (AES), use of password-protected archives, and obfuscated delivery.’)
[T1071.001 ] Application Layer Protocol: Web Protocols – C2 communications over HTTP/HTTPS (Havoc) with geo-restricted delivery enforced by C2 servers. (‘C2 communication over HTTP/HTTPS, including geo-restricted infrastructure.’)
[T1102 ] Application Layer Protocol: Web Service – Use of Pastebin and web services for AES key delivery and Telegram API for RAT C2. (‘Use of Pastebin for AES key delivery and Telegram for RAT C2.’)
[T1105 ] Ingress Tool Transfer – Downloading additional payloads (encrypted RARs, Havoc) from attacker-controlled infrastructure and legitimate cloud providers. (‘Downloading additional payloads (e.g., Havoc Framework) from attacker-controlled infrastructure.’)
[T1082 ] System Information Discovery – Post-compromise frameworks (Havoc, RAT) enumerated system details as part of operations. (‘RATs and frameworks like Havoc typically enumerate system information.’)
[T1056 ] Input Capture – RAT capabilities include input capture functionality to harvest keystrokes or similar data. (‘RATs may capture keystrokes or other sensitive data.’)
[T1041 ] Exfiltration Over C2 Channel – Stolen data and PII exfiltrated via established C2 channels (Havoc, Telegram bot). (‘Stolen data exfiltrated via established C2 channels (Havoc, Telegram RAT).’)

Indicators of Compromise

[File Hashes ] Malicious loaders, RATs, and payloads observed in campaigns – Amaranth Loader: 00351add8e0bca838e8dac40875b8ad5195805bd4…, TGAmaranth RAT: 803fb65a58808fd3752f9f76b5c75ca914196305 (and Havoc payload hashes listed).
[Archive URLs ] Download locations used to deliver encrypted payloads – dropbox[.]com/scl/fi/ln6q8ip8k3dvx6xxyi71s/gs.rar?rlkey=…, catalogs[.]dailydownloads[.]net/archives/microsoft/office/@MrPresident_001_bot.rar.
[Domains / Hosting ] Key servers and payload hosts used for AES keys, payloads, and C2 – daily[.]getfreshdata[.]com, softwares[.]dailydownloads[.]net, updates[.]dailydownloads[.]net, todaynewsfetch[.]com.
[IP Addresses ] Havoc C2 and infrastructure IPs used in configurations – examples: 93.123.17[.]151, 92.223.124[.]45 (and additional 92.223.* addresses used across campaigns).
[File Names ] Lure and archive filenames used in social engineering – PCG_124th_Anniversary_Event_Documents_Office_of_the_President_23102025-Archive.zip, SK_GajiPNS_Kemenko_20250818.rar.
[Key / Paste URLs ] AES key and key hosting endpoints used by Amaranth loader – pastebin[.]com/raw/Z7xayGZ8, daily[.]getfreshdata[.]com/dailynews/key.txt (and other pastebin raw URLs observed).
[Telegram Bot / C2 Credentials ] Telegram-based RAT control channel used for remote commands – decrypted bot token observed: 8285002613:AAEyRgJTpVgmyQ38fOO1i3ofqhqLmhQqZs8; filename @MrPresident_001_bot.rar referenced as bot-related artifact.