Dragon in the Archives: How “Amaranth-Dragon” Weaponized a WinRAR Zero-Day to Spy on Southeast Asia

In 2025, Southeast Asia witnessed a pronounced escalation in cyber-espionage operations, meticulously cloaked in missives pertaining to regional geopolitics and security developments. This strategic alignment with current events exponentially augments the probability that recipients will engage with deleterious attachments, thereby precipitating an infection sequence.

Check Point analysts have delineated a previously undocumented cluster designated as Amaranth-Dragon, associating it with the broader APT41 ecosystem. The targeted entities encompassed governmental bodies and law enforcement agencies across Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines. These operations were characterized by their surgical precision, engineered for protracted persistence within infrastructures to facilitate the exfiltration of strategic intelligence.

A pivotal instrument in these campaigns was the exploitation of CVE-2025-8088 within WinRAR, a vulnerability that permits Remote Code Execution (RCE) upon the opening of a specifically engineered archive. Exploitation was documented a mere eight days following the vulnerability’s public disclosure in August 2025—a cadence that, according to the report’s authors, signifies a sophisticated level of adversarial readiness.

While the primary delivery vector remains unconfirmed, the thematic nature of the lures—replete with political, economic, and military motifs—strongly implies the use of targeted spear-phishing missives. These malicious archives were hosted on reputable cloud platforms, such as Dropbox, to attenuate suspicion and circumvent perimeter defenses.

The RAR archives harbored a collection of files, including a nefarious DLL identified as the Amaranth Loader. This was executed via DLL side-loading, after which the loader established a connection with a remote server to retrieve an encryption key, decrypted a secondary component via an auxiliary link, and executed it directly within system memory. The terminal payload was the open-source Havoc post-exploitation framework. Analysts noted significant architectural parallels with tools such as DodgeBox, DUSTPAN, and DUSTTRAP, which have historically been attributed to APT41.

Early iterations observed in March 2025 utilized ZIP archives containing Windows shortcuts and BAT files to facilitate the decryption and execution of the Amaranth Loader. An analogous scheme was documented in late October 2025, where the lures were themed around the Philippine Coast Guard.

In a discrete operation targeting Indonesia in early September 2025, a password-protected RAR archive hosted on Dropbox was utilized to deliver a separate instrument: the TGAmaranth RAT. This remote access trojan weaponized a hard-coded Telegram bot for command-and-control (C2), supporting a robust functional repertoire that included process enumeration, screen capture, shell command execution, and file exfiltration. To complicate forensic scrutiny, the malware employed an array of anti-debugging and anti-tampering countermeasures.

The command infrastructure was shielded by Cloudflare, with server access rigorously restricted to accept traffic exclusively from IP ranges corresponding to the nations targeted in specific operations. Check Point maintains that the overlaps in tooling, developmental vernacular, and infrastructure management unequivocally link Amaranth-Dragon to the APT41 collective.