Ethical Hacking News
A new cyberespionage group called Amaranth Dragon has been linked to APT41 state-sponsored Chinese operations. The group exploited the CVE-2025-8088 vulnerability in WinRAR, which is a serious flaw that can be used to write malicious files to arbitrary locations.
The attackers have shown "technical proficiency and operational discipline" and adapt their tactics for maximum impact on their targets. In recent attacks, a new remote access tool called TGAmaranth RAT has been deployed, making it challenging for defenders to detect and remove this malware.
Organizations are advised to upgrade to WinRAR version 7.13 or later (the latest is 7.20), which addresses the flaw. Staying up-to-date with the latest security patches and monitoring for suspicious activity on your systems can help protect against these types of attacks.
Amaranth Dragon is a new cyberespionage group linked to APT41 state-sponsored Chinese operations. The group has exploited the CVE-2025-8088 vulnerability in WinRAR for espionage attacks on government and law enforcement agencies. The vulnerability allows malicious actors to write malicious files to arbitrary locations by leveraging Alternate Data Streams (ADS) feature in Windows. Amaranth Dragon started exploiting the WinRAR flaw four days after the first working exploit became publicly available. The group uses a custom Amaranth Loader and encrypted payloads from command-and-control (C2) servers behind Cloudflare infrastructure. TGAmaranth RAT, a new remote access tool, has been deployed by the group with capabilities to evade detection. Organizations are advised to upgrade to WinRAR version 7.13 or later to address the CVE-2025-8088 flaw.
The world of cybersecurity is constantly evolving, with new threats emerging every day. Recently, a new cyberespionage group called Amaranth Dragon has been linked to APT41 state-sponsored Chinese operations. According to recent reports from Check Point, the group has exploited the CVE-2025-8088 vulnerability in WinRAR in espionage attacks on government and law enforcement agencies.
The CVE-2025-8088 vulnerability is a serious flaw that can be exploited by malicious actors to write malicious files to arbitrary locations by leveraging the Alternate Data Streams (ADS) feature in Windows. Multiple threat actors have already exploited this vulnerability since mid-2025, and it's estimated that the number of attacks using this exploit will only continue to increase.
Amaranth Dragon started exploiting the WinRAR flaw on August 18, 2025, four days after the first working exploit became publicly available. However, researchers at Check Point have been tracking the group's activity since March 2025 and identified multiple campaigns, each restricted to targeting one or two countries via strict geofencing.
The attackers used a custom Amaranth Loader to deliver encrypted payloads from command-and-control (C2) servers behind Cloudflare infrastructure. These C2 servers were configured to accept traffic only from targeted regions, making it even more difficult for defenders to detect the attacks.
Furthermore, the group's tactics and infrastructure show that they have "technical proficiency and operational discipline" and can adapt their tactics for maximum impact on their targets.
In recent Amaranth Dragon attacks, a new remote access tool called TGAmaranth RAT has been deployed. This RAT uses a Telegram bot for C2 activity and supports file uploading/downloading, taking screenshots, and listing running processes on the host.
TGAmaranth can evade detection by implementing various protections against debugging, antivirus, and endpoint detection and response (EDR) solutions, including replacing a hooked ntdll.dll with an unhooked copy. This makes it even more challenging for defenders to detect and remove this malware.
The latest attack vector used by Amaranth Dragon shows that the group is highly skilled and well-organized. Given the widespread exploitation of CVE-2025-8088 by multiple threat actors, organizations are advised to upgrade to WinRAR version 7.13 or later (the latest is 7.20), which addresses the flaw.
In conclusion, the recent activities of Amaranth Dragon highlight the importance of staying up-to-date with the latest security patches and monitoring for suspicious activity on your systems.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Amaranth-Dragon-Cyberespionage-Group-Exploits-WinRAR-Flaw-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-amaranth-dragon-cyberespionage-group-exploits-winrar-flaw/
https://thehackernews.com/2026/02/china-linked-amaranth-dragon-exploits.html
https://nvd.nist.gov/vuln/detail/CVE-2025-8088
https://www.cvedetails.com/cve/CVE-2025-8088/
https://research.checkpoint.com/2026/amaranth-dragon-weaponizes-cve-2025-8088-for-targeted-espionage/
https://attack.mitre.org/groups/G0096/
https://www.resecurity.com/blog/article/apt-41-threat-intelligence-report-and-malware-analysis
https://www.fbi.gov/wanted/cyber/apt-41-group
Published: Wed Feb 4 08:38:33 2026 by llama3.2 3B Q4_K_M
