Amaranth-Dragon is a China-linked cyber espionage group tied to the APT41 ecosystem, conducting highly targeted campaigns against government and law enforcement agencies in Southeast Asia during 2025. The group exploits CVE-2025-8088, a critical arbitrary code execution vulnerability in WinRAR, which allows execution of malicious code when specially crafted RAR archives are opened. The campaigns distribute malicious RAR files via spear-phishing emails, often hosted on trusted cloud platforms like Dropbox to evade detection. The payload includes a malicious DLL named Amaranth Loader, executed through DLL side-loading, a technique favored by Chinese threat actors. The loader contacts external servers to retrieve encryption keys and decrypts payloads executed in memory, typically deploying the Havoc C2 framework or a Telegram bot-based RAT variant (TGAmaranth RAT). The RAT supports commands for process listing, screenshots, shell execution, and file transfer, enabling extensive espionage capabilities. The attack infrastructure is geo-fenced to interact only with victims in specific countries, enhancing stealth. Early campaigns used ZIP files with LNK and BAT files to execute the loader. The group demonstrates advanced operational security, timing attacks with political events to increase engagement and maintaining persistence for long-term intelligence gathering. The overlap in malware and tactics with APT41 suggests shared resources or direct affiliation. The threat actors also employ anti-debugging and anti-antivirus techniques, complicating detection and analysis. The campaign highlights the weaponization of legitimate infrastructure and living-off-the-land binaries to evade defenses.

For European organizations, especially those involved in diplomatic, governmental, law enforcement, or geopolitical intelligence sectors, the Amaranth-Dragon campaigns pose a significant espionage risk. Although the primary targets are Southeast Asian countries, European entities with strategic interests or partnerships in the region could be indirectly targeted or compromised through supply chain or diplomatic channels. Successful exploitation leads to arbitrary code execution, enabling attackers to establish persistent backdoors, exfiltrate sensitive information, and conduct surveillance. The use of sophisticated RATs and encrypted payloads complicates detection and remediation. The stealthy nature and geo-fencing of the attack infrastructure reduce the likelihood of broad exposure but increase the risk of targeted, high-value compromises. The campaigns also demonstrate the threat actors’ ability to rapidly weaponize newly disclosed vulnerabilities, emphasizing the need for timely patching. Overall, the impact includes loss of confidentiality, potential disruption of operations, and erosion of trust in critical governmental and diplomatic communications.

1. Immediately apply the official patch for CVE-2025-8088 to all WinRAR installations to eliminate the vulnerability exploited by Amaranth-Dragon. 2. Implement strict email filtering and spear-phishing awareness training focused on identifying malicious archive files, especially those distributed via cloud platforms like Dropbox. 3. Monitor and restrict DLL side-loading by enforcing application whitelisting and validating DLL load paths to prevent execution of unauthorized libraries. 4. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting in-memory execution, encrypted payloads, and anomalous network communications, particularly those involving known C2 frameworks like Havoc or Telegram bots. 5. Enforce network segmentation and geo-fencing controls to limit outbound connections to only necessary and trusted destinations, reducing the risk of C2 communication. 6. Conduct threat hunting exercises focusing on indicators of compromise related to Amaranth Loader, TGAmaranth RAT, and associated TTPs such as living-off-the-land binaries and anti-analysis techniques. 7. Collaborate with intelligence-sharing communities to stay updated on emerging tactics and infrastructure changes related to this threat. 8. Review and harden supply chain and third-party access controls, especially for entities with ties to Southeast Asia or China, to mitigate indirect exposure.