Chinese Hackers Weaponise WinRAR Flaw to Spy on Southeast Asian Governments

New Threat Actor Emerges

Security researchers at Check Point have uncovered a sophisticated cyberespionage operation targeting government and law enforcement agencies across Southeast Asia. The threat actor, dubbed Amaranth-Dragon, is believed to have close ties to the notorious APT-41 ecosystem, a Chinese state-sponsored hacking group.

Lightning-Fast Exploitation

The group demonstrated remarkable speed in weaponising CVE-2025-8088, a critical path traversal vulnerability in WinRAR. Just four days after exploit code appeared publicly on GitHub on August 14, 2025, Amaranth-Dragon launched its first attacks. The vulnerability allows attackers to craft malicious archive files that drop payloads directly into the Windows Startup folder.

Six Nations Targeted

Since March 2025, campaigns have hit agencies in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines. The attackers timed their phishing lures to coincide with local political events, using themes such as salary updates and government anniversaries to trick victims.

Sophisticated Attack Chain

When victims extract the malicious RAR files using vulnerable WinRAR versions, a script lands in the Startup folder and executes on reboot. This deploys the group's custom Amaranth Loader through DLL sideloading, which retrieves AES-encrypted payloads including the Havoc command and control framework.

New Malware Discovered

In September 2025 attacks targeting Indonesia, researchers observed a new tool called TGAmaranth RAT, which uses Telegram for command and control communications and includes features to evade endpoint security tools.

Urgent Patch Recommended

Google Threat Intelligence has warned that multiple threat actors, including Russian and Chinese state-backed groups, continue exploiting this vulnerability. Organisations are urged to update to WinRAR version 7.20 or later immediately.