{
  "name": "Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in Southeast Asia",
  "slug": "amaranth-dragon-weaponizing-cve-2025-8088-for-targeted-espionage-in-southeast-asia",
  "description": "A Chinese threat actor, Amaranth-Dragon, has been conducting highly targeted cyber-espionage campaigns against government and law enforcement agencies in Southeast Asia throughout 2025. The group swiftly exploited the CVE-2025-8088 vulnerability in WinRAR to deliver malicious payloads, including a custom loader and the Havoc C2 Framework. Their operations demonstrate sophisticated tactics, including geo-restricted command and control servers, use of legitimate hosting services, and a new Telegram-based remote access trojan. The campaigns coincide with significant local geopolitical events, increasing the likelihood of successful compromises. Technical analysis reveals similarities with APT-41, suggesting a possible connection or shared resources between the groups.",
  "published": "2026-02-04T14:57:23+00:00",
  "created_at": "2026-02-04T14:57:23+00:00",
  "modified_at": "2026-02-04T19:51:14+00:00",
  "created_at_opencti": "2026-02-04T14:57:23+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-02-04",
    "CVE-2025-8088",
    "amaranth loader",
    "apt-41",
    "espionage",
    "government",
    "havoc c2",
    "havoc c2 framework",
    "southeast asia",
    "telegram rat",
    "tgamaranth rat",
    "winrar"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "92.223.120.10"
      },
      {
        "id": "",
        "name": "92.223.76.20"
      },
      {
        "id": "",
        "name": "92.38.170.6"
      },
      {
        "id": "",
        "name": "92.223.124.45"
      },
      {
        "id": "",
        "name": "93.123.17.151"
      },
      {
        "id": "",
        "name": "http://catalogs.dailydownloads.net/archives/microsoft/office/@MrPresident_001_bot.rar"
      },
      {
        "id": "",
        "name": "http://softwares.dailydownloads.net/products/microsoft/office/product-key/DB2F.activation.key"
      },
      {
        "id": "",
        "name": "http://daily.getfreshdata.com/dailynews/key.txt"
      },
      {
        "id": "",
        "name": "http://daily.getfreshdata.com/dailynews/environment.enc"
      },
      {
        "id": "",
        "name": "http://get.storagesync.biz/resources/newspaper/2018/forecast2018"
      },
      {
        "id": "",
        "name": "http://news.dostpagasa.com/llehs/jdkasdnkaf.enc"
      },
      {
        "id": "",
        "name": "www.todaynewsfetch.com"
      },
      {
        "id": "",
        "name": "http://drive.easyboxsync.com/resources/channels/v7/cambodia64"
      },
      {
        "id": "",
        "name": "http://analytics.freshdatainsights.org/display/2025/uid_8oQRkgpvMSgmBFt9/WondershareApplicationManual.pdf"
      },
      {
        "id": "",
        "name": "http://live.easyboxsync.com/resources/gup/notepad"
      },
      {
        "id": "",
        "name": "https://updates.dailydownloads.net/docs/microsoft/office/Office_Activation_Manual_DB2F.pdf"
      },
      {
        "id": "",
        "name": "https://softwares.dailydownloads.net/products/microsoft/office/product-key/DB2F.activation.key"
      },
      {
        "id": "",
        "name": "http://catalogs.dailydownloads.net/archives/microsoft/office/"
      },
      {
        "id": "",
        "name": "http://updates.dailydownloads.net/docs/microsoft/office/Office_Activation_Manual_DB2F.pdf"
      },
      {
        "id": "",
        "name": "https://daily.getfreshdata.com/dailynews/key.txt"
      },
      {
        "id": "",
        "name": "28ff75c0ac4434cdc4f0b21567ac1f06979c2426f8623d157473ac079bf8792a"
      },
      {
        "id": "",
        "name": "1af82aa68cfb3d33119a8a9340dc656f86681a94a62c88f29055a10a96fd125d"
      },
      {
        "id": "",
        "name": "aee374aca93f8bfbb1f36d5fb794216d5e1754e296f6dd5c783efd77a8033910"
      },
      {
        "id": "",
        "name": "1ec5c09da00d648e779ad02195b81768fbcdc78f2538ccb768f1a3304a4d19bd"
      },
      {
        "id": "",
        "name": "e8ef0265c48925be7bb16e8051021889ff7b98337e327fa260595b5db3336895"
      },
      {
        "id": "",
        "name": "2707ba2dc931da049f70c31b0654714121fac908475dc084cb4ab808f9dd5308"
      },
      {
        "id": "",
        "name": "badd970fab64c072e5ab0a81865de0988c1b12165a076bcdbee8a9cb8e101675"
      },
      {
        "id": "",
        "name": "8aacc30dac2ca9f41d7dd6d2913d94b0820f802bc04461ae65eb7cf70b53a8ab"
      },
      {
        "id": "",
        "name": "6a44c7bc52fef3e70f7e60e01d8808cb2fe6e6565b095628554979a89a36ed28"
      },
      {
        "id": "",
        "name": "a3805b24b66646c0cf7ca9abad502fe15b33b53e56a04489cfb64a238616a7bf"
      },
      {
        "id": "",
        "name": "5e7985143c2ead86a1773da2ff9e27ba94911db185f5cb3166e9a35360909381"
      },
      {
        "id": "",
        "name": "4c3bbd9e546086f1a719fe7f5819cd4e0ea4a240dc69251ce8217b7c4544915a"
      },
      {
        "id": "",
        "name": "c9f7605fce64721206f19ccf4002db7edb1b747383f5a48608909755699bdd09"
      },
      {
        "id": "",
        "name": "a2c128fc040ed2db7634134f0577b3267164b71f692fc9b37c08e48b168d89e6"
      },
      {
        "id": "",
        "name": "5b64786ed92545eeac013be9456e1ff03d95073910742e45ff6b88a86e91901b"
      },
      {
        "id": "",
        "name": "ce940f04eeb4c2b92056d2a966318058c5971cb12ffe523a3c6b32f530a2c5f0"
      },
      {
        "id": "",
        "name": "925069464e54e2642d8aa24c432638b7abcfab9de982807da356e96f891116b1"
      },
      {
        "id": "",
        "name": "7af238050b2750da760b2cf5053bcf58054bcf44e9af1617d8b7af3ed98d09c6"
      },
      {
        "id": "",
        "name": "98d9745f52f9c8805d05a3f2c18bfedeb342e438085840d3611d063af9b80720"
      },
      {
        "id": "",
        "name": "79cc492a51fd0be594317c79b0ac0e7967f03744888d7024381b535b19e15e0c"
      },
      {
        "id": "",
        "name": "4b27e1b2261e10f0ff47426a6603b9e8a0b0a98ad81df18a77b54c4c455d91f1"
      },
      {
        "id": "",
        "name": "3f0b703f151838f056494bb698544bb2b6434a0e12e0d79c15124e38d7abd3c6"
      },
      {
        "id": "",
        "name": "3cbef162e14e74d1f95391091544b53deb23c41b41b8bbadd124209a63496424"
      },
      {
        "id": "",
        "name": "495cb43f3c2e3abd298a3282b1cc5da4d6c0d84b73bd3efcc44173cca950273c"
      },
      {
        "id": "",
        "name": "97112fa244307ac813af47c77ba6651e6457619ee63843308892ddf19e8b5cf8"
      },
      {
        "id": "",
        "name": "7e0da1399ff99e41493db489159668db566b6b00cd367e770619b774ec515809"
      },
      {
        "id": "",
        "name": "23d76c49128994d83f878fd08829d003c2ffcd063d03ec7ff1fe4fe41ffb36c3"
      },
      {
        "id": "",
        "name": "6526752857c307284d38654e1417b8aac5991a328226355e1b9221b34cd151d0"
      },
      {
        "id": "",
        "name": "a89c21d5e08f60eb68f6ae9a6f9b8c88eb6b77a2623290fc11cdd70b6f01cc7b"
      },
      {
        "id": "",
        "name": "d7711333c34a27aed5d38755f30d14591c147680e2b05eaa0484c958ddaae3b6"
      },
      {
        "id": "",
        "name": "50855f0e3c7b28cbeac8ae54d9a8866ed5cb21b5335078a040920d5f9e386ddb"
      },
      {
        "id": "",
        "name": "39301eb193b02a76e637ea18565cf7fee65c5af8f1fbe487fd3e0a94a7ecf0f6"
      },
      {
        "id": "",
        "name": "c4bd5154a8d11b0659d8251070a0adc14a7fb98f0a4fc5d54ca9d0ac940dc8d0"
      },
      {
        "id": "",
        "name": "8a7ee2a8e6b3476319a3a0d5846805fd25fa388c7f2215668bc134202ea093fa"
      },
      {
        "id": "",
        "name": "868c294d04a829c389978de82c696d97bb7f94d37d2c0200fcd2a1738f1e0d51"
      }
    ],
    "malware": [
      {
        "id": "064e053c-16fd-4118-8733-784f2b3ea9ce",
        "name": "TGAmaranth RAT",
        "slug": "tgamaranth-rat"
      },
      {
        "id": "3d7bf3fb-e80b-49f9-93b4-8a4799de99ad",
        "name": "Havoc C2 Framework",
        "slug": "havoc-c2-framework"
      },
      {
        "id": "942e4f14-5f82-4453-a967-730eef045458",
        "name": "Amaranth Loader",
        "slug": "amaranth-loader"
      }
    ],
    "intrusion_sets": [
      {
        "id": "c37091a6-ca15-41a3-b2e6-b24cd01238f5",
        "name": "Amaranth-Dragon",
        "slug": "amaranth-dragon"
      }
    ],
    "attack_patterns": [
      {
        "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5",
        "name": "T1056"
      },
      {
        "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d",
        "name": "T1053"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d",
        "name": "T1102"
      },
      {
        "id": "a7262c61-4567-4a00-8cec-aae6264234a9",
        "name": "T1218"
      },
      {
        "id": "e46a9411-d2a1-47c9-8820-c7f818f4c0b5",
        "name": "T1203"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      },
      {
        "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e",
        "name": "T1041"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2025-8088"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Philippines"
      },
      {
        "id": "",
        "name": "Singapore"
      },
      {
        "id": "",
        "name": "Cambodia"
      },
      {
        "id": "",
        "name": "Indonesia"
      },
      {
        "id": "",
        "name": "Thailand"
      },
      {
        "id": "",
        "name": "Defense"
      },
      {
        "id": "",
        "name": "Government"
      },
      {
        "id": "",
        "name": "drive.easyboxsync.com"
      },
      {
        "id": "",
        "name": "todaynewsfetch.com"
      },
      {
        "id": "",
        "name": "catalogs.dailydownloads.net"
      },
      {
        "id": "",
        "name": "live.easyboxsync.com"
      },
      {
        "id": "",
        "name": "updates.dailydownloads.net"
      },
      {
        "id": "",
        "name": "get.storagesync.biz"
      },
      {
        "id": "",
        "name": "softwares.dailydownloads.net"
      },
      {
        "id": "",
        "name": "news.dostpagasa.com"
      },
      {
        "id": "",
        "name": "analytics.freshdatainsights.org"
      },
      {
        "id": "",
        "name": "phnompenhpost.net"
      },
      {
        "id": "",
        "name": "daily.getfreshdata.com"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69836c632ca6c16f064a97d5",
    "https://research.checkpoint.com/2026/amaranth-dragon-weaponizes-cve-2025-8088-for-targeted-espionage"
  ]
}