Amaranth-Dragon Weaponizing CVE-2025-8088 for Targeted Espio...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://research.checkpoint.com/2026/amaranth-dragon-weaponizes-cve-2025-8088-for-targeted-espionage/
• Blog Title: Amaranth-Dragon: Weaponizing CVE-2025-8088 for Targeted Espionage in the Southeast Asia
• Suggested Section: Pentesting Web / File Upload & Archives -> Archive Extraction Path Traversal (add WinRAR CVE-2025-8088 Startup-folder persistence variant) and/or Windows -> Windows Local Privilege Escalation / Persistence (Startup folder drop) + Windows -> Dll Hijacking (signed binary sideloading) + optionally Windows post-exploitation/evasion notes (fiber execution, ntdll unhooking, Telegram C2)

🎯 Content Summary

Title/Context
Check Point Research (CPR) tracked Amaranth-Dragon, a China-nexus cluster with overlaps to APT-41 tooling/TTPs, conducting highly targeted cyber-espionage campaigns throughout 2025 against government and law enforcement organizations in Southeast Asia (Cambodia, Thailand, Laos, Indonesia, Singapore, Philippines). CPR infers operations align with UTC+8 (China Standard Time) based on compilation times, archive timestamps, an...

🔧 Technical Details

Weaponize archive path traversal (CVE-2025-8088) for arbitrary file write → Startup persistence
If an archive extractor is vulnerable to path traversal, a crafted RAR can write files outside the chosen extraction folder by embedding traversal sequences like ../. Attackers can aim the write into a stable autostart location (e.g., a user Startup folder) so the dropped .cmd/.bat executes on next logon/reboot. In practice, payloads may attempt multiple traversal depths to reach the correct Startup path depending on the user’s extraction directory.

Signed-binary DLL sideloading as the execution primitive
Bundle a legitimate signed EXE with a malicious DLL named as an expected dependency (e.g., DllSafeCheck64.dll, libcef.dll). When the EXE runs, Windows loads the attacker DLL from the same directory, executing the malicious export. A common evasion pattern is exporting multiple functions where onl...

🤖 Agent Actions

Updated three HackTricks sections with Amaranth-Dragon tradecraft: expanded the archive path traversal page with CVE-2025-8088 Startup-folder persistence details and added reference; enhanced DLL hijacking page with a full Amaranth/TGAmaranth sideloading pattern (double-URL AES loader, export stubbing, RC4-variant + fiber execution, ntdll unhooking) and cited the new source; enriched Windows autoruns persistence guidance with a concrete CVE-2025-8088 Startup dropper flow and added the related reference.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://research.checkpoint.com/2026/amaranth-dragon-weaponizes-cve-2025-8088-for-targeted-espionage/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web / File Upload & Archives -> Archive Extraction Path Traversal (add WinRAR CVE-2025-8088 Startup-folder persistence variant) and/or Windows -> Windows Local Privilege Escalation / Persistence (Startup folder drop) + Windows -> Dll Hijacking (signed binary sideloading) + optionally Windows post-exploitation/evasion notes (fiber execution, ntdll unhooking, Telegram C2)".

Repository Maintenance:

• MD Files Formatting: 944 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0