A Chinese-aligned threat group known as Amaranth-Dragon rapidly weaponized a WinRAR path traversal flaw (CVE-2025-8088) to deliver malicious RAR archives that execute code when opened, targeting government and law enforcement agencies across Southeast Asia. The attackers deploy an Amaranth loader to fetch Havoc C2 payloads and a TGAmaranth RAT that uses a Telegram bot for C2, tailoring lures to local events to increase success. #AmaranthDragon #CVE-2025-8088
Keypoints
- Amaranth-Dragon weaponized CVE-2025-8088 within ten days of its public disclosure.
- Campaigns targeted high-profile government and law enforcement organizations in Thailand, Indonesia, Singapore, and Cambodia.
- Malicious RAR archives exploit a WinRAR path traversal to achieve arbitrary code execution when opened.
- Attackers use an Amaranth loader to retrieve encrypted Havoc C2 payloads and restrict C2 responses to targeted countries.
- Operators deployed TGAmaranth RAT using a Telegram bot to exfiltrate PII and execute remote commands.