Dangerous new malware exploits WinRAR flaw

Pro
Security

Dangerous new malware exploits WinRAR flaw - here's what we know News By Sead Fadilpašić published 5 February 2026

Chinese state-sponsored actor now exploiting a WinRAR bug

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock)

Copy link
Facebook
X
Whatsapp
Reddit
Pinterest
Flipboard
Threads
Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Get the TechRadar Newsletter

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

An account already exists for this email address, please log in. Subscribe to our newsletter

Amaranth Dragon, linked to APT41, joins groups exploiting WinRAR CVE-2025-8088
Targets include organizations across Southeast Asia, using custom loaders and Cloudflare-masked servers
Vulnerability abused since mid-2025 by multiple state actors, with malware hidden via Alternate Data Streams

We can now add Amaranth Dragon to the list of Chinese state-sponsored actors abusing the newly uncovered WinRAR vulnerability.

Security researchers Check Point has reported attacks coming from this group, targeting organizations in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines.

News recently broke that WinRAR, the iconic Windows archiving program, contained a high-severity vulnerability that allowed threat actors to execute arbitrary code on compromised endpoints. The bug was described as a path traversal flaw, affecting versions 7.12 and older. It is tracked as CVE-2025-8088, with a severity score of 8.4/10 (high).

RomCom, Carpathian, and others

When the vulnerability was first discovered, multiple security outfits warned that it was being abused by numerous threat actors - both state-sponsored, and otherwise. Now, new reports are saying that among them is Amaranth Dragon, a threat actor allegedly linked to APT41. This group is using a mix of legitimate tools and a custom loader, which deploys encrypted payloads from a server hidden behind Cloudflare infrastructure.

Earlier reports said that RomCom, a group aligned with the Russian government, abused this bug to deploy NESTPACKER against Ukrainian military units. Some researchers also mentioned APT44 and Turla, Carpathian, and multiple Chinese actors that were dropping the POISONIVY malware.

Google’s Threat Intelligence Group (GTIG), the cybersecurity arm that mostly tracks state-sponsored attackers, said the earliest signs of abuse were seen in mid-July 2025. Since then, hackers were using the Alternate Data Streams (ADS) feature in WinRAR to write malware to arbitrary locations on target devices. Amaranth Dragon apparently started using this bug in mid-August last year, mere days after the first working exploit was made public.

"While the user typically views a decoy document, such as a PDF, within the archive, there are also malicious ADS entries, some containing a hidden payload while others are dummy data," Google said.

Are you a pro? Subscribe to our newsletterContact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Via BleepingComputer

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.

Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.

Windows Server flaw targeted by hackers to spread malware - here's what we know Hacker with malware code in computer screen. Cybersecurity, privacy or cyber attack. Programmer or fraud criminal writing virus software. Online firewall and privacy crime. Web data engineer

Hacker with malware code in computer screen. Cybersecurity, privacy or cyber attack. Programmer or fraud criminal writing virus software. Online firewall and privacy crime. Web data engineer

Experts warn Chinese "Ink Dragon" hackers extend reach into European governments China

React2Shell RCE flaw exploited by Chinese hackers hours after disclosure cisco logo

Cisco email security products actively targeted in zero-day campaign Abstract Futuristic Red Shinny Digital Hud Square Elements Mosaic Grid Map Of China Flat Screen With Horizontal Light

Abstract Futuristic Red Shinny Digital Hud Square Elements Mosaic Grid Map Of China Flat Screen With Horizontal Light

Chinese hackers used Brickworm malware to breach critical US infrastructure hacker hands at work with interface around

Notepad++ hit by suspected Chinese state-sponsored hackers - here's what we know so far Latest in Security The ExpressKeys password manager app from ExpressVPN displayed on a phone screen.

The ExpressKeys password manager app from ExpressVPN displayed on a phone screen.

ExpressVPN unveils new standalone password manager – ExpressKeys is now available for iOS and Android Phishing, E-Mail, Network Security, Computer Hacker, Cloud Computing Cyber Security 3d Illustration

Phishing, E-Mail, Network Security, Computer Hacker, Cloud Computing Cyber Security 3d Illustration

Personal data stolen during Harvard and UPenn data breaches leaked online - over a million details, including emails, home addresses and more, all published WordPress logo on mobile

More than 40,000 WordPress sites affected by new malware flaw - find out if you're affected How to delete your account at Amazon, Facebook, Google or Microsoft

How to delete your account at Amazon, Facebook, Google or Microsoft

Linux users report Microsoft's Visual Studio Code Snap package isn't actually deleting files An image of macOS’s app switcher.

Microsoft warns infostealer malware is 'rapidly expanding beyond traditional Windows-focused campaigns' and targeting Mac devices Data leak

Massive Chinese data breach allegedly spills 8.7 billion records - here's what we know Latest in News Close up of a PS5 console and Dualsense controller

Close up of a PS5 console and Dualsense controller

Sony says Ghost of Yotei made a 'significant contribution' to the 8 million PS5 units that were sold in late 2025, a feat that surpassed the Nintendo Switch 2 by 1 million units Power button of Steam Machine

Steam Machine is delayed due to RAM crisis — and price is to be 'revisited' Robert Downey Jr sitting in a chair and holding a finger to his lips during Marvel's Avengers: Doomsday cast reveal

Robert Downey Jr sitting in a chair and holding a finger to his lips during Marvel's Avengers: Doomsday cast reveal

Marvel fans have their say on two new rumors about Avengers: Secret Wars Flags of the European Union in front of the Berlaymont Building, which houses the European Commission's headquarters in Brussels, Belgium

Flags of the European Union in front of the Berlaymont Building, which houses the European Commission's headquarters in Brussels, Belgium

Another European government agency is preparing to ditch Microsoft if needed A smartphone with a Spotify audiobook of Heated Rivalry surrounded by physical copies of popular literature

A smartphone with a Spotify audiobook of Heated Rivalry surrounded by physical copies of popular literature

Spotify competes with Amazon with new partnership that allows you to buy physical books The Xiaomi Black Shark Gaming Tablet

Android gaming tablets are back, as two new models are on the way LATEST ARTICLES

1Quordle hints and answers for Friday, February 6 (game #1474)
2NYT Strands hints and answers for Friday, February 6 (game #705)
3NYT Connections hints and answers for Friday, February 6 (game #971)
4A seriously powerful all-in-one PC has been revealed, packing an AMD Ryzen AI Max+ 395 CPU under the hood
5Dangerous new malware exploits WinRAR flaw - here's what we know

Dangerous new malware exploits WinRAR flaw - here's what we know

RomCom, Carpathian, and others

Related Articles

Watch a garage-built drone hit 430mph – the new (unofficial) fastest drone on earth

BMW doubles down on divisive car subscription features – but admits its 'heated seats' furore was a mistake

Disneyland Handcrafted is the most fascinating documentary on Disney+ right now — here's why I loved it