A hacking campaign took just days to exploit a newly disclosed security vulnerability in Microsoft Windows version of WinRAR, researchers at Check Point have said.
The attackers leveraged CVE-2025-8088, a path traversal vulnerability in the widely used file archive and compression software WinRAR, which was first disclosed in August 2025.
Check Point’s analysis of the campaign suggested that attackers were actively exploiting the vulnerability within days of its disclosure.
CVE-2025-8088 enables the creation of arbitrary code by crafting malicious archive files. This lets attackers execute code and maintain persistence on targeted machines, allowing them to secretly monitor users and collect sensitive data.
One way the attackers achieve this is through the deployment of Havoc Framework, an open-source Command and Control (C&C) platform which is used for authorized penetration testing and red teaming exercises.
The legitimate use case of the tool means it may not be flagged by security alerts.
Tailored Lures Point to Cyber‑Espionage Campaign
Check Point researchers noted that the attacks had a focus on government institutions and law enforcement agencies in Southeast Asia, pointing to a cyber-espionage campaign with the goal of collecting intelligence for geopolitical goals.
The attackers appear to have tailored their lures to be as effectively targeted as possible, basing them around local political, economic or military developments in the country or region being targeted, such as government salary announcements or joint regional exercises.
The campaigns were designed to be highly controlled. Attack infrastructure was configured to interact only with victims in specific target countries, limiting exposure beyond the intended targets, therefore helping the campaign to remain secretive.
Check Point believed that the lures were delivered via phishing emails to the intended victims, directing them to the malicious WinRAR files being hosted on legitimate cloud storage services.
Researchers concluded that the campaign was being conducted by a group dubbed Amarath-Dragon. The tools, techniques and procedures by Amarath-Dragon closely resemble APT 41, the prolific Chinese state-linked cyber-espionage and hacking group.
“The campaigns by Amaranth-Dragon exploiting the CVE-2025-8088 vulnerability highlight the recent trend of sophisticated threat actors rapidly weaponizing newly disclosed vulnerabilities,” Check Point Research said in a blog post.
“These attacks serve as a stark reminder of the importance of timely vulnerability management, user awareness, and robust defense-in-depth strategies.”
To help protect networks and users from malicious attacks, it’s recommended that organizations, especially those in government and critical infrastructure sectors, should prioritize patching vulnerabilities and monitor for suspicious archive files.
