Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in Southeast Asia
Essential information
- Published
- 04/02/2026 15:57
- Modified
- 04/02/2026 20:51
- Tags
- 2026-02-04 CVE-2025-8088 amaranth loader apt-41 espionage government havoc c2 havoc c2 framework southeast asia telegram rat tgamaranth rat winrar
- Related entities
- 1 vulnerabilities (cve), 55 observables, 1 intrusion sets (apt), 13 techniques (mitre), 3 malware, 18 others
Description
A Chinese threat actor, Amaranth-Dragon, has been conducting highly targeted cyber-espionage campaigns against government and law enforcement agencies in Southeast Asia throughout 2025. The group swiftly exploited the CVE-2025-8088 vulnerability in WinRAR to deliver malicious payloads, including a custom loader and the Havoc C2 Framework. Their operations demonstrate sophisticated tactics, including geo-restricted command and control servers, use of legitimate hosting services, and a new Telegram-based remote access trojan. The campaigns coincide with significant local geopolitical events, increasing the likelihood of successful compromises. Technical analysis reveals similarities with APT-41, suggesting a possible connection or shared resources between the groups.