Amaranth Dragon, a threat actor linked to APT41, has been conducting espionage attacks against government and law enforcement organizations across Southeast Asia by exploiting the WinRAR path traversal flaw CVE-2025-8088. The group used legitimate tools alongside a custom Amaranth Loader and Cloudflare-backed C2 infrastructure to deliver encrypted payloads (including the Havoc framework and the TGAmaranth RAT), employ strict geofencing, and maintain stealth and persistence. #AmaranthDragon #CVE2025-8088 #WinRAR #TGAmaranthRAT
Keypoints
- Amaranth Dragon, linked to APT41, was tracked since March 2025 and began exploiting CVE-2025-8088 in WinRAR on August 18, 2025.
- The actor combined legitimate tools with a custom Amaranth Loader to retrieve AES-encrypted payloads from Cloudflare-backed C2 servers restricted by geofencing.
- Earlier attacks used ZIP archives with .LNK and .BAT scripts, while later campaigns abused Alternate Data Streams to drop files in the Startup folder and added Registry Run keys for persistence.
- Observed payloads included the Havoc C2 framework and a new TGAmaranth RAT that uses a Telegram bot and supports file transfer, screenshots, and process enumeration.
- TGAmaranth employs EDR-evasion techniques such as replacing a hooked ntdll.dll, and defenders are advised to upgrade to WinRAR 7.13+ and apply Check Pointβs IoCs and YARA rules.