Amaranth Dragon Exploits WinRAR CVE-2025-8088 (CVSS 7.8) and React Server Components Vulnerability

Estimated reading time: 6 minutes

Key Takeaways:
• Amaranth Dragon, an APT41-linked actor, is actively exploiting a path traversal vulnerability in WinRAR (CVE-2025-8088) to target Southeast Asian government entities.
• Modern frameworks like React Server Components and automation platforms like n8n are being compromised to deploy backdoors and cryptominers via sandbox escapes.
• The group utilizes sophisticated geofencing and Telegram-based command-and-control (TGAmaranth RAT) to evade traditional security perimeters.
• Organizations must integrate real-time threat intelligence and advanced EDR monitoring to disrupt multi-stage attack chains before payload execution.

The cybersecurity threat environment has recently seen the emergence of a specialized threat actor, Amaranth Dragon, which has been observed exploiting a path traversal vulnerability in WinRAR. This activity, alongside reports regarding a React Server Components Vulnerability Exploited to Deploy Cryptominers and Backdoors, indicates a concentrated effort by state-sponsored and financially motivated actors to leverage known flaws in widely used software. The exploitation of CVE-2025-8088 (CVSS 7.8) in WinRAR underscores the persistent utility of file-archiving utilities as an initial access vector.

This technical report details the operations of the Amaranth Dragon group, their transition to using CVE-2025-8088, and the concurrent discovery of critical sandbox escape vulnerabilities in the n8n automation platform (CVE-2026-25049). These incidents emphasize the necessity for organizations to integrate a comprehensive cyber threat intelligence platform to detect and mitigate multi-stage attack chains before payload execution.

React Server Components Vulnerability Exploited to Deploy Cryptominers and Backdoors – Hacker Affairs

The emergence of the React Server Components Vulnerability Exploited to Deploy Cryptominers and Backdoors demonstrates how modern web frameworks are being targeted to facilitate unauthorized resource consumption and persistence. While React Server Components (RSC) provide performance benefits by offloading rendering to the server, improper implementation can lead to flaws where unauthenticated actors execute arbitrary code or deploy backdoors. This trend mirrors the exploitation of CVE-2025-8088 by Amaranth Dragon, where legitimate software features are subverted for malicious purposes.

The Amaranth Dragon Campaign: Attribution and Scope

Amaranth Dragon is a newly identified threat actor linked by researchers to APT41, a prolific Chinese state-sponsored group known for both espionage and financially motivated operations. Since at least March 2025, this actor has conducted geofenced campaigns targeting government and law enforcement agencies across Southeast Asia, including Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines.

The group’s operational discipline is evidenced by its use of strict geofencing via Cloudflare infrastructure. By configuring command-and-control (C2) servers to only accept traffic from specific regional IP ranges, the group prevents security researchers outside the target zone from interacting with their malicious infrastructure. This level of environmental keying is a common trait of advanced persistent threats (APTs) seeking to maintain a low profile and avoid detection by global breach detection systems.

Technical Deep Dive: WinRAR CVE-2025-8088

The core of Amaranth Dragon’s recent activity involves the exploitation of CVE-2025-8088, a path traversal vulnerability in WinRAR. This flaw leverages the Windows Alternate Data Streams (ADS) feature to write malicious files to arbitrary locations on the host system.

Understanding Alternate Data Streams (ADS)

ADS is a feature of the NTFS file system that allows more than one data stream to be associated with a filename. While the primary stream contains the standard file content, additional streams can store metadata or, in the case of a malicious actor, executable code. WinRAR’s failure to properly sanitize file paths when handling archives containing ADS allowed attackers to bypass standard directory restrictions.

Persistence via the Startup Folder

By crafting a malicious archive, Amaranth Dragon can exploit CVE-2025-8088 to drop a script or executable directly into the Windows Startup folder (%AppData%\Microsoft\Windows\Start Menu\Programs\Startup). This ensures that the malware executes automatically every time the user logs in. In some instances, the group also utilized Registry Run keys as a redundant persistence mechanism.

The group began using this exploit on August 18, 2025, merely four days after a public proof-of-concept (PoC) was released. The transition to CVE-2025-8088 represents an optimization of their delivery phase, reducing the friction required to achieve a successful infection.

Analysis of the Amaranth Attack Chain

The Amaranth Dragon attack chain follows a sophisticated progression from initial delivery to post-exploitation:

  • Lure Delivery: The actor uses lures themed around geopolitical or local events relevant to the target country.
  • Exploitation (CVE-2025-8088): Upon opening the archive, the path traversal flaw triggers, dropping a payload into the Startup folder.
  • DLL Side-Loading: The group utilizes digitally signed, legitimate executables to launch their payloads by placing a malicious DLL in the same directory as a trusted executable.
  • Amaranth Loader: This custom loader retrieves an AES-encrypted payload from an external URL, decrypting it entirely in memory to avoid disk-based detection.
  • Payload Execution: The final payload is often the Havoc C2 framework or the new TGAmaranth RAT.

TGAmaranth RAT and Telegram Threat Monitoring

TGAmaranth RAT is a remote access trojan that uses Telegram for its command-and-control communication. By using a legitimate messaging platform, the actor can blend their traffic with normal network activity. This highlights the importance of Telegram threat monitoring to identify unauthorized bots communicating with internal systems.

The RAT also implements advanced evasion techniques, such as:
ntdll.dll Unhooking: Replaces hooked libraries with clean copies to blind EDR solutions.
Anti-Debugging: Checks for debuggers and virtual machines to prevent researcher analysis.

Critical n8n Sandbox Escapes: CVE-2026-25049

While Amaranth Dragon targets endpoints, the automation platform n8n has faced challenges with CVE-2026-25049, allowing authenticated users to escape the JavaScript sandbox and achieve Remote Code Execution (RCE). By exploiting type confusion in property access, attackers can bypass runtime checks and execute system commands, steal API keys, or pivot to connected cloud accounts.

Threat Intelligence Context

The rapid integration of CVE-2025-8088 suggests that threat actors actively monitor underground forums for new vulnerabilities. Furthermore, the use of the Havoc C2 framework shows a convergence between espionage groups and ransomware affiliates. Maintaining visibility requires dark web monitoring service capabilities to identify discussing regarding new exploits or leaked credentials.

Technical Takeaways for Engineers

  • Patching: Update WinRAR to version 7.20 and n8n to version 1.123.17 or 2.5.2 immediately.
  • EDR Configuration: Enable behavior-based detection for DLL side-loading and monitor for unauthorized ntdll.dll modifications.
  • Network Filtering: Block egress traffic to known C2 frameworks and monitor Telegram API traffic for anomalies.
  • Sandbox Hardening: Run automation platforms with least privilege and restricted network access.

Non-Technical Takeaways for Business Leaders

  1. Software Inventory Management: Include small utilities like WinRAR in regular patching cycles.
  2. Access Controls: Limit workflow creation in automation tools to trusted, authenticated personnel only.
  3. Strategic Intelligence: Invest in localized intelligence to detect geofenced attacks targeting your operational region.

PurpleOps Expertise in Threat Mitigation

PurpleOps provides the technical infrastructure required to defend against actors like Amaranth Dragon:

Explore our PurpleOps Solutions or contact our technical team for a comprehensive security assessment.

Frequently Asked Questions

What is the primary vulnerability exploited by Amaranth Dragon?
Amaranth Dragon primarily exploits CVE-2025-8088, a path traversal vulnerability in WinRAR that uses Alternate Data Streams (ADS) to drop malicious files into the Windows Startup folder.

How does TGAmaranth RAT communicate with its operators?
The RAT uses the Telegram API as its command-and-control (C2) channel, allowing malicious traffic to blend in with legitimate network activity and bypass standard firewalls.

What is the risk associated with CVE-2026-25049 in n8n?
This vulnerability allows for a sandbox escape in the n8n automation platform, enabling authenticated attackers to execute arbitrary system commands and steal sensitive credentials or API keys.

How does geofencing help threat actors avoid detection?
By restricting C2 traffic to specific geographic IP ranges, actors like Amaranth Dragon prevent security researchers and global breach detection systems outside the target zone from analyzing their infrastructure.