Skip to main content
Mallory
Back to malware
MalwareUsed by 2 actorsExploits 1 CVE

Amaranth Loader

Amaranth Loader is a custom malware loader used in 2025 cyber-espionage campaigns attributed by Check Point to the China-linked cluster Amaranth-Dragon, which the reporting assesses as closely linked to the APT41 ecosystem. It was used primarily against government and law enforcement organizations in Southeast Asia, including targets in Cambodia, Thailand, Laos, Indonesia, Singapore, and the Philippines. The campaigns were described as highly targeted, stealthy, and focused on long-term intelligence collection.

Amaranth Loader was delivered through malicious archives, including RAR and ZIP files, often likely via spear-phishing and sometimes hosted on legitimate services such as Dropbox. In multiple cases, execution relied on DLL side-loading using a legitimate executable. Reporting states that the loader contacts an external server to retrieve an encryption key, then uses that key to decrypt an encrypted payload fetched from a separate URL and execute it directly in memory. The most commonly reported payload delivered by Amaranth Loader was the Havoc C2 framework.

The malware was observed in campaigns that rapidly weaponized the WinRAR path traversal vulnerability CVE-2025-8088, with malicious RAR archives used to achieve code execution and persistence, including by dropping files into the Windows Startup folder. Earlier campaign variants also used ZIP archives containing LNK and BAT files to decrypt and launch the loader. Check Point reported that Amaranth Loader shares similarities with DodgeBox, Dustpan, and Dusttrap, tools associated with APT41.

Operationally, the associated infrastructure was protected behind Cloudflare and geo-restricted to respond only to IP addresses from intended target countries, with non-target access returning HTTP 403. High-confidence indicators and behaviors directly mentioned in the reporting include DLL side-loading, retrieval of an encryption key from an external server, decryption of a remotely hosted payload, in-memory execution, use of legitimate cloud hosting such as Dropbox, and primary deployment of Havoc C2.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-8088WinRAR Windows Path Traversal via NTFS Alternate Data StreamsExploited in the wild

Attack chains mounted by the adversary have been found to abuse CVE-2025-8088, a now-patched security flaw impacting RARLAB WinRAR that allows for arbitrary code execution when specially crafted archives are opened by targets. The exploitation of the vulnerability was observed about eight days after its public disclosure in August.

via the hacker newsthehackernews.com
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT41

The archive contains several files, including a malicious DLL named Amaranth Loader that's launched by means of DLL side-loading... Once executed, the loader is designed to contact an external server to retrieve an encryption key, which is then used to decrypt an encrypted payload retrieved from a different URL and execute it directly in memory.

via the hacker newsthehackernews.com
Amaranth-Dragon

The archive contains several files, including a malicious DLL named Amaranth Loader that's launched by means of DLL side-loading... Once executed, the loader is designed to contact an external server to retrieve an encryption key, which is then used to decrypt an encrypted payload retrieved from a different URL and execute it directly in memory.

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence1
TacticInitial Access

"... suggests the use of spear-phishing emails to distribute the archive files hosted on well-known cloud platforms like Dropbox ..."

Execution

2 techniques
T1203Exploitation for Client ExecutionEvidence1
TacticExecution

"Attack chains ... have been found to abuse CVE-2025-8088 ... impacting RARLAB WinRAR that allows for arbitrary code execution when specially crafted archives are opened by targets."

T1204.001Malicious LinkEvidence1
TacticExecution

"... early iterations ... made use of ZIP files containing Windows shortcuts (LNK) ..."; "Present within the compressed file is a single LNK file that, when launched, triggers the execution of a PowerShell command ..."

Stealth

2 techniques
T1027Obfuscated Files or InformationEvidence1
TacticStealth

"... retrieve an encryption key ... decrypt an encrypted payload ..."; "An encrypted file that contains the PlugX payload (\"backupper.dat\")"

T1620Reflective Code LoadingEvidence1
TacticStealth

"... decrypt an encrypted payload ... and execute it directly in memory."

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1
TacticCommand and Control

"... distribute the archive files hosted on well-known cloud platforms like Dropbox ..."; "... distribute a password-protected RAR archive from Dropbox ..."

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
ctoatncsc substackNews
Feb 7, 2026
CTO at NCSC Summary: week ending February 8th

Custom loader used to deliver encrypted payloads in targeted campaigns; used as a staging component to deploy follow-on implants/C2 frameworks.

Read more
security affairsNews
Feb 5, 2026
China-linked Amaranth-Dragon hackers target Southeast Asian governments in 2025

Previously unknown loader used by Amaranth-Dragon; delivered via malicious archives and uses DLL side-loading to decrypt and execute payloads (including in-memory execution of Havoc).

Read more
the hacker newsNews
Feb 4, 2026
China-Linked Amaranth-Dragon Exploits WinRAR Flaw in Espionage Campaigns

Malicious DLL loader delivered via spear-phishing lures and archive files; executed via DLL side-loading. It retrieves an encryption key from an external server, decrypts an encrypted payload from another URL, and executes it in-memory to deploy follow-on tooling (notably Havoc).

Read more
checkpoint research blogNews
Feb 4, 2026
Amaranth-Dragon-Weaponizes-CVE-2025-8088-for-Espionage

Custom 64-bit Windows DLL loader typically executed via DLL sideloading. It retrieves an AES key (often from Pastebin or actor-controlled infrastructure), downloads an AES-CBC encrypted payload, decrypts and executes it in-memory (commonly Havoc shellcode). Uses obfuscated strings (XOR-based), hardcoded IV, and may enforce geo-restricted payload delivery via server-side IP filtering; persistence is usually handled by dropped scripts/Run keys in some campaigns rather than the loader itself.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.