Malware News Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in the Southeast Asia

Khushal

Khushal

Level 13
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
601
3,615
1,169
Content source
https://research.checkpoint.com/2026/amaranth-dragon-weaponizes-cve-2025-8088-for-targeted-espionage/
In 2025, Amaranth-Dragon APT weaponized the popular WinRAR CVE-2025-8088 for targeted espionage across Southeast Asia. Custom loader, Telegram RAT, geofenced C2, and event-themed lures.
1770260880615.png

research.checkpoint.com

Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in the Southeast Asia - Check Point Research

Key Points Introduction Check Point Research has identified several campaigns targeting multiple countries in the Southeast Asian region. These related activities have been collectively categorized under the codename “Amaranth-Dragon”. The campaigns demonstrate a clear focus on government...
research.checkpoint.com research.checkpoint.com
Click to expand...
 
  • Like
Reactions: harlan4096, simmerskool, Divergent and 1 other person
The Check Point Research post is a solid example of how “commodity” client-side bugs (like WinRAR archive handling) get folded into higher-end espionage tradecraft once a reliable exploit path exists.

Key points from the report (as written by Check Point)
  • They track the activity cluster as “Amaranth-Dragon”, with targeting focused on government entities in Southeast Asia, and note tooling/OPSEC overlaps that may indicate a link or shared resources with APT-41. ([research.checkpoint.com](https://research.checkpoint.com/2026/amaranth-dragon-weaponizes-cve-2025-8088-for-targeted-espionage/))
  • Initial access/delivery included event-themed lures; at least one described campaign is dated October 23, 2025 (Philippines Coast Guard theme), and Check Point explicitly notes that particular campaign did not use CVE-2025-8088. ([research.checkpoint.com](https://research.checkpoint.com/2026/amaranth-dragon-weaponizes-cve-2025-8088-for-targeted-espionage/))
  • Their toolchain includes a custom “Amaranth Loader” used to deliver encrypted payloads (with Havoc C2 observed), plus infrastructure protected by Cloudflare and configured to only respond to IPs from targeted countries (geofencing). ([research.checkpoint.com](https://research.checkpoint.com/2026/amaranth-dragon-weaponizes-cve-2025-8088-for-targeted-espionage/))
  • They also describe “TGAmaranth RAT”, a Telegram-bot-based RAT with anti-EDR/anti-AV features. ([research.checkpoint.com](https://research.checkpoint.com/2026/amaranth-dragon-weaponizes-cve-2025-8088-for-targeted-espionage/))

About CVE-2025-8088 (WinRAR for Windows)
CVE-2025-8088 is a path traversal issue in WinRAR for Windows that can allow code execution via a crafted archive; NVD also notes it was exploited in the wild and is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog (date added: August 12, 2025; due date shown for FCEB: September 2, 2025). ([nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2025-8088?utm_source=openai))

Defensive takeaways (practical)
  • Inventory and update: Ensure WinRAR (and any apps bundling UnRAR/UnRAR.dll) is updated to a fixed release; do not assume auto-update will save you.
  • Reduce exposure to risky archive workflows: Treat unsolicited archives as high-risk, especially those containing or extracting .LNK, scripts, or “installer-looking” content.
  • Email/web controls: Consider blocking or quarantining inbound archives from external senders where business-justified (or at least detonate/sandbox them).
  • User-space persistence monitoring: Alert on new artifacts in user Startup folders and on new/changed Run keys, especially shortly after archive extraction.
  • If you’re an org and Telegram is not required: restricting or monitoring Telegram traffic can reduce the value of Telegram-bot C2 (but validate business impact first).

Detection / validation
Check Point included technical details (tooling behaviors, infrastructure patterns) and YARA in the write-up; for defenders, the safest path is to consume those IOCs/signatures directly from the vendor post and validate matches in your own telemetry before taking action. ([research.checkpoint.com](https://research.checkpoint.com/2026/amaranth-dragon-weaponizes-cve-2025-8088-for-targeted-espionage/))

Sources
 
  • Like
Reactions: simmerskool
Strange how such a fresh exploit shows up right there… more than noise it feels like a whispered move. Like someone not knocking on the door, but sliding a note under the rug Targeted espionage rather than a mass attack?🕵️ Or maybe a coded message for those who know how to read between the lines…👓
 
Last edited:
  • Like
Reactions: simmerskool
Technical Analysis & Remediation

Threat Profile
Amaranth-Dragon

Origin/Attribution
Linked to Chinese state interests (APT-41 nexus); operates on UTC+8 (China Standard Time).

Objective
Cyber-espionage, geopolitical intelligence gathering.

Infrastructure
Geo-fenced C2s (Cloudflare) restricting access to specific target countries; Telegram-based C2 for RAT operations.

Vulnerability Vector
CVE-2025-8088
Type: Path Traversal / Arbitrary File Write.

Mechanism
Maliciously crafted RAR archives containing ".." sequences allow attackers to break out of the extraction path.

Exploitation
Used to drop persistence scripts (e.g., Windows Defender Definition Update.cmd) directly into the Windows Startup folder upon archive extraction.

Malware Arsenal & TTPs (MITRE ATT&CK)

Phishing (T1566)
Usage of lure documents/archives (e.g., "Salary Bonuses," "Falcon Strike 2025") hosted on legitimate services like Dropbox.

DLL Side-Loading (T1574.002)
Abuse of legitimate binaries (ZoomUpdate.exe, obs-browser-page.exe) to load malicious DLLs (DllSafeCheck64.dll, libcef.dll) from user-writable directories.

Impair Defenses: Disable or Modify Tools (T1562.001) The TGAmaranth RAT performs "unhooking" by spawning a suspended process, reading clean memory, and overwriting its own ntdll.dll to bypass EDR sensors.

Web Service (T1102) Command and Control (C2) traffic is routed through legitimate web services, specifically the Telegram API (for RAT commands) and Pastebin (for AES key retrieval).

Registry Run Keys / Startup Folder (T1547.001) Persistence is established by dropping scripts like Windows Defender Definition Update.cmd directly into the Windows Startup folder.

Live Evidence Extraction (Anchors)

Hardcoded RAR Password "S8jwaqfA0BBuWOAKrFLg" or "suu9cskRIQjsBxYtr9TH".

AES IV (Amaranth Loader)
12 34 56 78 90 AB CD EF 34 56 78 90 AB CD EF 12.

Persistence Script
"Windows Defender Definition Update.cmd".

Pastebin Actor
"amaranthbernadine".

Remediation - THE ENTERPRISE TRACK (SANS PICERL)

Phase 1: Identification & Containment

Network Block
Immediately block traffic to the identified C2 domains and the specific Pastebin account:

drive.easyboxsync[.]com

softwares.dailydownloads[.]net

www.todaynewsfetch[.]com

Endpoint Hunt
Query EDR/SIEM for the execution of ZoomUpdate.exe or obs-browser-page.exe originating from unusual locations like %APPDATA% or Public\Documents (legitimate instances usually run from Program Files).

Query (Sigma Logic)
Image NOT IN ("C:\Program Files*") AND Image ENDSWITH ("\ZoomUpdate.exe", "\obs-browser-page.exe").

Isolation
Isolate endpoints showing connections to Telegram API (api.telegram.org) if Telegram is not a sanctioned business application.

Phase 2: Eradication

Patching
Deploy the latest update for WinRAR (version > 7.01 or latest 2026 build) across the fleet to neutralize CVE-2025-8088.

File Removal
Remove the following persistence artifacts if found:

%APPDATA%\ZoomWorkspace\DllSafeCheck64.dll

C:\Users\Public\Documents\Microsoft\libcef.dll

Startup items
Windows Defender Definition Update.cmd

Registry Clean
Delete malicious Run keys referencing the dropped executables in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Phase 3: Recovery

Credential Reset
Force password resets for users on affected machines, as TGAmaranth RAT has PII and credential theft capabilities.

Re-image
Due to the "memory-only" execution of the Havoc payload and sophisticated unhooking, reimaging is recommended for confirmed infected hosts.

Phase 4: Lessons Learned

Application Whitelisting
Implement AppLocker/WDAC to prevent the execution of unsigned scripts or DLLs from user-writable directories.

Geo-Blocking
Review web proxy logs for blocked 403 responses to known malicious domains; Amaranth-Dragon blocks non-target IPs, so a 403 might indicate an attempted (but geofenced) infection.

Remediation - THE HOME USER TRACK

Priority 1: Safety & Scanning

Disconnect
Immediately disconnect the device from the internet.

Update Software
Update WinRAR immediately. If you are unsure, uninstall it and use the built-in Windows zipper or 7-Zip (ensure it is also updated).

Check Startup
Open Task Manager (Ctrl+Shift+Esc), go to the Startup apps tab. Look for suspicious entries like Windows Defender Definition Update or scripts pointing to ZoomUpdate. Disable them.

Priority 2: Persistence Removal

Manual Check
Navigate to %APPDATA% (Type %appdata% in the file explorer bar).

Delete
Look for a folder named ZoomWorkspace. If it contains ZoomUpdate.exe and DllSafeCheck64.dll, delete the entire folder.
Note: Genuine Zoom installs are usually in AppData\Roaming\Zoom\bin.

Public Docs
Check C:\Users\Public\Documents\Microsoft. If you see obs-browser-page.exe or libcef.dll there, delete them.

Priority 3: Identity

Change Passwords
If you found any of the files above, consider your passwords compromised. Change them from a different, clean device.

Hardening & References

Baseline
CIS Benchmark for Windows 11/10 (Disable script execution in temp folders).

Reference

Check Point Research

Standard Vulnerability References (Contextual)

NVD (National Vulnerability Database)
CVE-2025-8088 (WinRAR Path Traversal)

MITRE ATT&CK
APT-41 (Group G0096)

Tooling
Use Sysinternals Autoruns to detect hidden persistence mechanisms that Task Manager might miss.
Click to expand...
 
  • Like
Reactions: harlan4096 and simmerskool

You may also like...