Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actorExploits 1 CVE

TGAmaranth RAT

TGAmaranth RAT is a Telegram-based remote access trojan used in 2025 cyber-espionage campaigns attributed by Check Point to the China-linked Amaranth-Dragon cluster, which the reporting assesses as closely linked to the APT41 ecosystem. It was observed in operations targeting government and law enforcement organizations in Southeast Asia, including Indonesia, and was delivered in later campaign stages via password-protected RAR archives, in some cases hosted on Dropbox. The broader intrusion activity also involved rapid weaponization of the WinRAR path traversal vulnerability CVE-2025-8088, although TGAmaranth RAT was specifically described as being delivered in Indonesia-focused campaigns instead of the Amaranth Loader/Havoc chain.

The malware is a 64-bit DLL RAT that uses a hard-coded Telegram bot token and communicates with the Telegram API at api.telegram.org for command and control. Reported capabilities include process listing, taking screenshots, shell/command execution with output exfiltration, and file download/upload. Mentioned command verbs include /start, /screenshot, /shell, /download, and /upload. The malware was also described as including anti-debugging, anti-EDR, and anti-AV functionality. Specifically reported techniques include use of DebugActiveProcess and a "SelfDebugging" event mechanism, as well as restoring a clean ntdll.dll .text section by reading it from a suspended child cmd.exe process via ReadProcessMemory.

Associated infrastructure was reported as being hidden behind Cloudflare and geo-restricted to specific target countries to reduce exposure and detection. The campaigns using TGAmaranth RAT were characterized as highly targeted, politically aligned espionage operations focused on long-term access and intelligence collection rather than disruption.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-8088WinRAR Windows Path Traversal via NTFS Alternate Data StreamsExploited in the wild

Attack chains mounted by the adversary have been found to abuse CVE-2025-8088, a now-patched security flaw impacting RARLAB WinRAR that allows for arbitrary code execution when specially crafted archives are opened by targets. The exploitation of the vulnerability was observed about eight days after its public disclosure in August.

via the hacker newsthehackernews.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Amaranth-Dragon

...deliver a fully functional remote access trojan (RAT) codenamed TGAmaranth RAT instead of Amaranth Loader that leverages a hard-coded Telegram bot for C2.

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

11 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence1
TacticInitial Access

"... suggests the use of spear-phishing emails to distribute the archive files hosted on well-known cloud platforms like Dropbox ..."

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence1
TacticExecution

"... deliver a fully functional remote access trojan (RAT) codenamed TGAmaranth RAT ... supports ... /shell, to execute a specified command ..."

T1203Exploitation for Client ExecutionEvidence1
TacticExecution

"Attack chains ... have been found to abuse CVE-2025-8088 ... impacting RARLAB WinRAR that allows for arbitrary code execution when specially crafted archives are opened by targets."

Stealth

2 techniques
T1497Virtualization/Sandbox EvasionEvidence1
TacticsStealthDiscovery

"... anti-debugging and anti-antivirus techniques to resist analysis and detection ..."

T1622Debugger EvasionEvidence1
TacticsStealthDiscovery

"Besides implementing anti-debugging and anti-antivirus techniques to resist analysis and detection ..."

Discovery

3 techniques
T1057Process DiscoveryEvidence1
TacticDiscovery

"/start, to send a list of running processes from the infected machine"

T1497Virtualization/Sandbox EvasionEvidence1
TacticsStealthDiscovery

"... anti-debugging and anti-antivirus techniques to resist analysis and detection ..."

T1622Debugger EvasionEvidence1
TacticsStealthDiscovery

"Besides implementing anti-debugging and anti-antivirus techniques to resist analysis and detection ..."

Collection

1 technique
T1113Screen CaptureEvidence1
TacticCollection

"/screenshot, to capture and upload a screenshot"

Command and Control

3 techniques
T1071.001Web ProtocolsEvidence1
TacticCommand and Control

"The C2 infrastructure is secured by Cloudflare ..."

T1102.002Bidirectional CommunicationEvidence1
TacticCommand and Control

"... TGAmaranth RAT ... leverages a hard-coded Telegram bot for C2."

T1105Ingress Tool TransferEvidence1
TacticCommand and Control

"... distribute the archive files hosted on well-known cloud platforms like Dropbox ..."; "... distribute a password-protected RAR archive from Dropbox ..." | "/upload, to upload a file to the infected machine"

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1
TacticExfiltration

"... /shell ... exfiltrate the output"; "... /download, to download a specified file from the infected machine"

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
ctoatncsc substackNews
Feb 7, 2026
CTO at NCSC Summary: week ending February 8th

Telegram-bot-based remote access trojan with anti-EDR/anti-AV features, using Telegram as its C2 channel.

Read more
security affairsNews
Feb 5, 2026
China-linked Amaranth-Dragon hackers target Southeast Asian governments in 2025

Remote access trojan controlled via a Telegram bot; supports process listing, screenshots, command execution, and file transfer.

Read more
the hacker newsNews
Feb 4, 2026
China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns

Remote access trojan using a hard-coded Telegram bot for C2; supports process listing, screenshot capture, shell command execution with output exfiltration, and file upload/download, and includes anti-debugging and anti-antivirus techniques.

Read more
checkpoint research blogNews
Feb 4, 2026
Amaranth-Dragon-Weaponizes-CVE-2025-8088-for-Espionage

64-bit DLL remote access trojan delivered via sideloading by a legitimate executable. Uses a hardcoded (encrypted) Telegram bot token for C2 via api.telegram.org, supports remote command execution and data collection (e.g., process listing, screenshot, shell, upload/download). Implements anti-debugging (self-debugging via DebugActiveProcess) and anti-EDR/AV by restoring a clean ntdll.dll .text section from a suspended child process to remove userland hooks.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping11

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.