Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Amaranth-Dragon, a newly identified China-linked advanced persistent threat group associated with the APT-41 ecosystem, is conducting highly targeted cyber-espionage campaigns against government agencies and law enforcement organizations across Southeast Asia. First observed in March 2025, this sophisticated threat actor exploits CVE-2025-8088, a critical path traversal vulnerability in RARLAB WinRAR, to achieve arbitrary code execution on victim systems. The campaign demonstrates advanced operational security, sophisticated social engineering, and custom malware development capabilities consistent with state-sponsored cyber-espionage operations targeting sensitive government intelligence and law enforcement data.
The Amaranth-Dragon operation specifically targets government and law enforcement entities in Cambodia, Thailand, Laos, Indonesia, Singapore, Philippines, Brunei, Malaysia, Myanmar, Timor-Leste, and Vietnam, representing comprehensive coverage of Southeast Asian nations. The threat actor delivers weaponized RAR archives via carefully crafted spear-phishing emails that leverage geopolitically themed lures directly relevant to target audiences. These social engineering lures reference local political events, official government decisions, regional security developments, civil servant salary updates, military anniversaries, and joint military exercises, demonstrating sophisticated understanding of regional affairs and target interests designed to maximize victim engagement and compromise success rates.
The technical attack chain demonstrates multiple layers of sophistication designed to evade detection and establish persistent access. Amaranth-Dragon distributes malicious RAR archives hosted on trusted cloud platforms such as Dropbox, leveraging the reputation of legitimate services to bypass email security controls and reduce recipient suspicion. When victims extract the weaponized archives using vulnerable WinRAR versions, the CVE-2025-8088 path traversal vulnerability allows attackers to place malicious CMD or BAT scripts directly into the Windows Startup folder, ensuring automatic execution after system reboot and establishing initial persistence without requiring additional user interaction.
The malware deployment involves a multi-stage infection process where startup scripts unpack password-protected archives and launch legitimate, digitally signed executables that are vulnerable to DLL search-order hijacking. Through this technique, attackers sideload the custom Amaranth Loader, a sophisticated 64-bit malicious DLL designed specifically for this campaign. In certain operations, the threat actor deploys TGAmaranth RAT, a Telegram-based remote access trojan featuring advanced anti-debugging and anti-EDR capabilities including active replacement of hooked ntdll.dll versions with clean copies to bypass security monitoring, and command-and-control communications through hardcoded Telegram bot tokens that blend malicious traffic with legitimate messaging platform usage. These tools provide comprehensive post-exploitation capabilities including process discovery, screenshot capture, command execution, file transfer, and sustained intelligence collection from compromised government and law enforcement systems.
Amaranth-Dragon initiates cyber-espionage operations through meticulously crafted spear-phishing emails that demonstrate sophisticated understanding of Southeast Asian geopolitical affairs and target organizational interests. These social engineering messages deliver weaponized RAR archive attachments hosted on trusted cloud storage platforms such as Dropbox, exploiting the reputation and widespread legitimate use of these services to bypass email security gateway controls and reduce recipient suspicion. The cloud hosting approach also provides operational benefits including difficult-to-block infrastructure, legitimate HTTPS encryption for payload delivery, and resilience against traditional malware distribution takedown efforts.
The attached RAR documents employ geopolitically themed lures specifically tailored to the interests and responsibilities of target government and law enforcement personnel. Observed lure themes include civil servant salary adjustment announcements targeting Indonesian government employees, Philippine Coast Guard anniversary celebration materials targeting maritime law enforcement agencies, joint military exercise documentation referencing China-Thailand bilateral defense cooperation, regional security briefings relevant to Southeast Asian law enforcement coordination, and official government policy decisions requiring administrative review. These highly contextualized lures demonstrate extensive pre-operational reconnaissance and deep understanding of target organizational structures, responsibilities, and information requirements.
Once victims download and attempt to extract the weaponized RAR archives using vulnerable WinRAR installations, Amaranth-Dragon exploits CVE-2025-8088, a critical path traversal vulnerability affecting WinRAR versions prior to 7.13. This vulnerability allows attackers to manipulate file extraction paths, enabling malicious files to be written to arbitrary locations on the victim’s file system regardless of the intended extraction directory specified by the user. The threat actor leverages this capability to place malicious CMD or BAT script files directly into the Windows Startup folder located at %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.
By writing malicious scripts directly to the Startup folder, Amaranth-Dragon establishes reliable persistence that ensures automatic malware execution whenever the victim user logs into their Windows account or the system reboots. This persistence technique requires no additional user interaction beyond the initial archive extraction, operates silently without triggering user account control prompts or security warnings, survives system reboots and user logoffs, and executes with the privileges of the logged-in user, which in government and law enforcement contexts frequently includes elevated administrative access to sensitive systems and classified information networks.
The malicious startup scripts deployed through CVE-2025-8088 exploitation initiate a sophisticated multi-stage infection process designed to evade security detection through abuse of legitimate, digitally signed executable files. The scripts first unpack password-protected secondary archives containing both legitimate executables and malicious DLL components. Observed legitimate executables abused for DLL sideloading include ZoomUpdate.exe (legitimate Zoom video conferencing updater), obs-browser-page.exe (OBS Studio browser component), and RemoveBackupper.exe (AOMEI backup software component), all of which are properly code-signed by their respective vendors and would typically be trusted by security software.
These legitimate executables are vulnerable to DLL search-order hijacking, a technique where applications load dynamic-link libraries from the current working directory or other non-standard paths before checking system directories. Amaranth-Dragon places the custom Amaranth Loader malicious DLL alongside these legitimate executables using filenames matching expected DLL dependencies. When the legitimate signed executable launches, it loads the malicious Amaranth Loader DLL instead of the intended legitimate library, providing the malware with code execution in the context of a trusted, signed application process.
The Amaranth Loader is a sophisticated 64-bit malicious DLL specifically developed for this campaign, demonstrating custom malware development capabilities consistent with well-resourced state-sponsored threat actors. The loader implements multiple anti-analysis and evasion techniques, establishes command-and-control communications with attacker infrastructure, retrieves additional payload modules based on operational requirements, and provides a foundation for deploying specialized tools including the TGAmaranth RAT for sustained intelligence collection operations.
In selected operations against high-value targets, Amaranth-Dragon deploys TGAmaranth RAT, a custom-developed Telegram-based remote access trojan that provides comprehensive post-exploitation capabilities while leveraging legitimate messaging infrastructure to conceal malicious command-and-control traffic. TGAmaranth RAT implements sophisticated anti-debugging and anti-endpoint detection and response (EDR) defenses designed to evade security monitoring and analysis. The malware actively detects and defeats EDR hooking techniques by identifying hooked versions of ntdll.dll (the Windows Native API library commonly monitored by security products) and replacing them with clean, unhooked copies loaded directly from disk, effectively blinding EDR solutions to subsequent malicious API calls.
TGAmaranth RAT establishes command-and-control communications through hardcoded Telegram bot tokens embedded in the malware binary. This approach provides significant operational advantages including blending malicious traffic with legitimate Telegram messaging usage that is extremely difficult to distinguish or block without disrupting normal business communications, leveraging Telegram’s encrypted messaging infrastructure to protect command-and-control communications from network monitoring, eliminating the need for attacker-operated command-and-control servers that would be vulnerable to takedown or attribution, and providing resilient communications that automatically route through Telegram’s global infrastructure.
The comprehensive post-exploitation capabilities provided by Amaranth Loader and TGAmaranth RAT include process discovery enumerating running applications and security software, screenshot capture enabling visual surveillance of victim activities and access to displayed classified information, arbitrary command execution allowing attackers to run any desired tools or scripts, file upload and download supporting data exfiltration and additional tool deployment, system information gathering documenting compromised environments, keystroke logging capturing credentials and sensitive communications, and sustained persistent access enabling long-term intelligence collection operations. The correlation of malware build timestamps, infrastructure patterns, technical capabilities, and operational tradecraft strongly indicates that Amaranth-Dragon operates as part of the broader APT-41 ecosystem, a well-established China-linked cyber-espionage and cybercrime threat actor group.
Organizations must immediately update all WinRAR installations to version 7.13 or later, which addresses the CVE-2025-8088 path traversal vulnerability actively exploited by Amaranth-Dragon. This patching effort should be prioritized for systems in government agencies, law enforcement organizations, and any entities operating in Southeast Asian regions specifically targeted by this campaign. Security teams should conduct comprehensive inventory of all WinRAR installations across managed endpoints, implement automated patch deployment through enterprise software management systems, and verify successful patching through configuration compliance scanning.
Security operations centers must implement comprehensive monitoring for unexpected file creation activity in Windows Startup folders located at %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup. Organizations should establish baseline inventories of legitimate startup items for managed systems and generate alerts on any new files appearing in these persistence locations. Particular attention should be paid to CMD scripts, BAT scripts, VBScript files, and executable files placed in Startup folders, especially when created shortly after RAR archive extraction operations or email attachment processing.
Organizations should deploy endpoint detection rules specifically designed to identify DLL sideloading exploitation attempts targeting the legitimate executables abused by Amaranth-Dragon. Security teams should implement monitoring for ZoomUpdate.exe, obs-browser-page.exe, and RemoveBackupper.exe loading DLL files from unexpected locations such as user profile directories, temporary folders, or non-standard application paths. Enhanced logging should capture DLL load events, parent process relationships, and file origin metadata to facilitate rapid investigation of potential sideloading attacks.
Given Amaranth-Dragon’s distribution of malicious payloads through Dropbox and potentially other cloud storage platforms, organizations should implement security controls to monitor and selectively restrict downloads from cloud storage services. Email security gateways should be configured to flag or quarantine messages containing links to cloud-hosted archives, particularly password-protected RAR files that cannot be scanned for malicious content. Organizations requiring legitimate cloud storage usage should implement data loss prevention policies, download scanning through secure web gateways, and user education emphasizing verification of file sources before extraction.
Organizations must implement robust network segmentation to limit lateral movement capabilities available to attackers following initial compromise. Government agencies and law enforcement organizations handling classified or sensitive information should enforce strict network separation between classified and unclassified networks, administrative systems and standard user environments, internet-facing systems and internal resources, and workstations and sensitive file servers or databases. Network segmentation significantly reduces the impact of initial compromises by preventing attackers from easily pivoting to high-value intelligence targets.
Security teams should monitor and consider implementing controls around access to Pastebin and Telegram, as Amaranth-Dragon has demonstrated operational use of these platforms. The threat actor has used the Pastebin account “amaranthbernadine” to host AES encryption keys required for payload decryption, and leverages Telegram bot infrastructure for TGAmaranth RAT command-and-control communications. Organizations should implement monitoring for connections to suspicious Pastebin accounts, unusual Telegram API usage patterns, and bot token strings in network traffic or process memory that may indicate TGAmaranth RAT infections.
The Amaranth-Dragon campaign demonstrates sophisticated state-sponsored threat actor tradecraft mapped to multiple MITRE ATT&CK tactics and techniques:
Initial Access: T1566.001 (Spearphishing Attachment) – The campaign relies on targeted spear-phishing emails delivering weaponized RAR archives to government and law enforcement personnel.
Execution: T1204.002 (Malicious File), T1059.003 (Windows Command Shell), T1059.001 (PowerShell), T1203 (Exploitation for Client Execution) – The attack chain involves user extraction of malicious archives, CMD/BAT script execution, PowerShell usage, and CVE-2025-8088 exploitation.
Persistence: T1547.001 (Registry Run Keys / Startup Folder), T1053 (Scheduled Task/Job) – Persistence is established through malicious scripts placed in Windows Startup folders and potentially scheduled tasks.
Defense Evasion: T1574.002 (DLL Side-Loading), T1027.013 (Encrypted/Encoded File), T1140 (Deobfuscate/Decode Files or Information), T1562.001 (Disable or Modify Tools), T1622 (Debugger Evasion), T1055.012 (Process Hollowing), T1620 (Reflective Code Loading) – Sophisticated evasion includes DLL sideloading with signed executables, encrypted payloads, anti-debugging techniques, EDR bypasses through ntdll.dll replacement, and reflective loading.
Credential Access: T1056 (Input Capture) – TGAmaranth RAT includes keylogging capabilities for credential capture.
Discovery: T1057 (Process Discovery), T1082 (System Information Discovery) – The malware performs comprehensive system reconnaissance.
Collection: T1113 (Screen Capture) – Screenshot capture enables visual intelligence collection from compromised government systems.
Command and Control: T1071.001 (Web Protocols), T1102.002 (Bidirectional Communication via Web Service), T1573.001 (Symmetric Cryptography), T1105 (Ingress Tool Transfer) – Command-and-control leverages HTTPS protocols, Telegram web services, AES encryption, and supports additional tool deployment.
Exfiltration: T1041 (Exfiltration Over C2 Channel) – Intelligence data is exfiltrated through established command-and-control channels.
The Amaranth-Dragon campaign involved numerous malicious file samples identified through security research and incident response, with SHA256, SHA1, and MD5 hash values documented for detection purposes. Organizations should integrate these hash values into endpoint detection and response platforms, antivirus solutions, threat intelligence feeds, and security information and event management systems to identify potentially compromised systems requiring investigation and remediation.
The threat actor operates command-and-control infrastructure using multiple IP addresses including 92.223.120.10, 92.223.124.45, 92.223.76.20, 92.38.170.6, and 93.123.17.151. Organizations should block network communications to these IP addresses at firewall and network security appliance levels and review historical network flow data for evidence of connections that may indicate compromised systems.
Amaranth-Dragon utilizes domains including dns.annasoft.gcdn.co, phnompenhpost.net (typosquatting legitimate Cambodian news outlet phnom
penhpost.com), and todaynewsfetch.com for payload hosting and command-and-control operations. Organizations should block these domains through DNS security controls and web proxies and investigate any historical connections in security logs.
The campaign distributes weaponized archives through Dropbox URLs and retrieves encryption keys and additional payloads from Pastebin accounts (amaranthbernadine) and various attacker-controlled domains. Security teams should review the documented malicious URLs for payload distribution patterns and implement monitoring for similar cloud-hosted malware distribution techniques.
Get through updates and upcoming events, and more directly in your inbox