Dangerous new malware exploits WinRAR flaw - here's what we know

Chinese state-sponsored actor now exploiting a WinRAR bug

News By Sead Fadilpašić published 5 February 2026

(Image credit: Shutterstock)

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Get the TechRadar Newsletter

Sign up for breaking news, reviews, opinion, top tech deals, and more.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

An account already exists for this email address, please log in. Subscribe to our newsletter

• Amaranth Dragon, linked to APT41, joins groups exploiting WinRAR CVE-2025-8088
• Targets include organizations across Southeast Asia, using custom loaders and Cloudflare-masked servers
• Vulnerability abused since mid-2025 by multiple state actors, with malware hidden via Alternate Data Streams

We can now add Amaranth Dragon to the list of Chinese state-sponsored actors abusing the newly uncovered WinRAR vulnerability.

Security researchers Check Point has reported attacks coming from this group, targeting organizations in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines.

News recently broke that WinRAR, the iconic Windows archiving program, contained a high-severity vulnerability that allowed threat actors to execute arbitrary code on compromised endpoints. The bug was described as a path traversal flaw, affecting versions 7.12 and older. It is tracked as CVE-2025-8088, with a severity score of 8.4/10 (high).

RomCom, Carpathian, and others

When the vulnerability was first discovered, multiple security outfits warned that it was being abused by numerous threat actors - both state-sponsored, and otherwise. Now, new reports are saying that among them is Amaranth Dragon, a threat actor allegedly linked to APT41. This group is using a mix of legitimate tools and a custom loader, which deploys encrypted payloads from a server hidden behind Cloudflare infrastructure.

Earlier reports said that RomCom, a group aligned with the Russian government, abused this bug to deploy NESTPACKER against Ukrainian military units. Some researchers also mentioned APT44 and Turla, Carpathian, and multiple Chinese actors that were dropping the POISONIVY malware.

Google’s Threat Intelligence Group (GTIG), the cybersecurity arm that mostly tracks state-sponsored attackers, said the earliest signs of abuse were seen in mid-July 2025. Since then, hackers were using the Alternate Data Streams (ADS) feature in WinRAR to write malware to arbitrary locations on target devices. Amaranth Dragon apparently started using this bug in mid-August last year, mere days after the first working exploit was made public.

"While the user typically views a decoy document, such as a PDF, within the archive, there are also malicious ADS entries, some containing a hidden payload while others are dummy data," Google said.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors