CVE-2025-8088 Exploited by Amaranth-Dragon for Southeast Asia Espionage

In 2025, a cyber-espionage group known as Amaranth-Dragon intensified its efforts across Southeast Asia. This group, connected to the notorious APT-41, targeted government and law enforcement agencies, particularly in countries like Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines.

CVE-2025-8088 Vulnerability and Exploitation

Just ten days after the vulnerability CVE-2025-8088 in WinRAR was revealed on August 8, 2025, Amaranth-Dragon began exploiting this flaw. This path traversal vulnerability allows attackers to execute arbitrary code by crafting malicious archive files. The group effectively used virus-infected RAR archives to penetrate the systems of their targets.

Amaranth-Dragon’s Techniques

• Command and Control Infrastructure: Their servers were secured behind Cloudflare, selectively responding to requests from targeted regions only.
• Amaranth Loader: This bespoke tool retrieved encrypted payloads, predominantly utilizing the Havoc C2 framework.
• TGAmaranth RAT: A Telegram-based remote access trojan, this tool demonstrated advanced evasion techniques against detection systems.

Campaign Timeline

From March to October 2025, Amaranth-Dragon conducted several campaigns while integrating CVE-2025-8088 into their operations:

• March 19: The first campaign targeted Cambodia, employing benign-looking ZIP files to deliver malware.
• April 28: A secondary assault in Cambodia revealed an updated Amaranth loader.
• July 3: Operations extended to Thailand and Laos without using the exploit.
• August 18: The group maliciously employed CVE-2025-8088 in Indonesia.
• September 5: Another campaign in Indonesia, this time using the TGAmaranth RAT.
• October 15 and 23: Final activities targeted the Philippines, leveraging events like the Philippine Coast Guard’s anniversary.

Operational Patterns and Threats

Amaranth-Dragon’s campaigns displayed thorough planning, often aligning attack timings with local political events. Their strategy revealed strong indicators of sophisticated threat actor behavior, typical of state-sponsored cyber operations.

Significance of CVE-2025-8088

The exploitation of CVE-2025-8088 marks a worrying trend in rapid weaponization of newly disclosed vulnerabilities. Organizations in Southeast Asia, particularly those within critical infrastructure, should prioritize patch management and implement robust cybersecurity measures.

Conclusion

Amaranth-Dragon’s activities highlight the continuous threat posed by advanced persistent threat actors. Monitoring their evolving tactics, techniques, and procedures (TTPs) is essential for national security and public sector resilience in Southeast Asia.