China-Linked Amaranth-Dragon and Mustang Panda Exploit WinRAR Flaw in Espionage Campaigns
These articles are AI-generated summaries. Please check the original sources for full details.
China-Linked Amaranth-Dragon and Mustang Panda Exploit WinRAR Flaw in Espionage Campaigns
The Amaranth-Dragon and Mustang Panda threat actors, affiliated with China, have been attributed to a series of cyber espionage campaigns targeting government and law enforcement agencies across Southeast Asia, with a notable exploit of the WinRAR flaw CVE-2025-8088. The campaigns, which began in 2025, have been characterized by their narrow focus and high degree of stealth, with the threat actors using tailored lures related to political, economic, or military developments in the region.
Why This Matters
The technical reality of these campaigns highlights the gap between ideal models of cybersecurity and the actual threats faced by organizations, with the exploitation of a patched vulnerability like CVE-2025-8088 demonstrating the importance of timely patching and the potential consequences of failure, which can include significant geopolitical intelligence collection and long-term persistence on compromised machines, with potential costs in the millions of dollars.
Key Insights
- The Amaranth-Dragon threat actor exploited the CVE-2025-8088 vulnerability in WinRAR, allowing for arbitrary code execution, as reported by Check Point Research in 2026.
- The Mustang Panda threat actor used a customized variant of PlugX, called DOPLUGS, to covertly harvest data and enable persistent access to compromised hosts, as detailed by Dream Research Labs in 2026.
- The use of legitimate, trusted infrastructure, such as Dropbox and Cloudflare, by these threat actors underscores the importance of monitoring and securing such services, as used by Amaranth-Dragon and Mustang Panda.
Working Example
# Example of a PowerShell command used to extract and drop a TAR archive
# Note: This code is for illustrative purposes only and should not be executed
powershell_command = "Invoke-Expression -Command \"& { \$archive = 'path/to/archive.zip'; \$tar = 'path/to/tar.exe'; \$args = '-xf', \$archive; & \$tar \$args }\""
print(powershell_command)Practical Applications
- Use Case: Government agencies and organizations in Southeast Asia can apply the insights from these campaigns to improve their cybersecurity posture, including timely patching of vulnerabilities and monitoring of legitimate infrastructure.
- Pitfall: The use of spear-phishing emails with tailored lures related to political, economic, or military developments in the region can be an effective tactic for threat actors, and organizations should be aware of this threat and take steps to mitigate it, such as educating employees on email security best practices.
References:
- http://thehackernews.com/2026/02/china-linked-amaranth-dragon-exploits.html
- https://www.checkpoint.com/research/ (Check Point Research)
- https://www.dreamresearchlabs.com/ (Dream Research Labs)
Continue reading
Next article
CISA Flags Actively Exploited SolarWinds Web Help Desk RCE
Related Content
Chinese State-Backed Hackers Target Southeast Asian Militaries with Custom Malware
Chinese threat actor CL-STA-1087 has targeted Southeast Asian military systems since 2020 using custom backdoors like AppleChris and MemFun for espionage.
Russian Hackers Target Ukrainian Organizations Using Stealthy Living-Off-the-Land Tactics
Russian threat actors targeted Ukrainian organizations using stealthy Living-Off-the-Land (LotL) tactics, leveraging dual-use tools and minimal malware to evade detection. The attack involved web shells, PowerShell backdoors, and memory dumps, with implications for global cybersecurity strategies.
Trojanized ESET Installers Used in Phishing Campaigns to Deploy Kalambur Backdoor in Ukraine
A Russia-aligned threat group, InedibleOchotense, is exploiting ESET's reputation through phishing attacks to deploy the Kalambur backdoor in Ukraine, alongside Sandworm's wiper campaigns and RomCom's WinRAR 0-day exploits.