**New Hacking Campaign Exploits Microsoft Windows WinRAR Vulnerability**

**In a matter of days, a hacking campaign has taken advantage of a recently disclosed security vulnerability in the widely used file archive and compression software WinRAR.**

According to researchers at Check Point, the attackers exploited CVE-2025-8088, a path traversal vulnerability in Microsoft Windows version of WinRAR, which was first disclosed in August 2025.

The attackers leveraged this vulnerability to create arbitrary code by crafting malicious archive files, allowing them to execute code and maintain persistence on targeted machines. This enabled the collection of sensitive data and the ability to secretly monitor users.

One way the attackers achieved this was through the deployment of Havoc Framework, an open-source Command and Control (C&C) platform used for authorized penetration testing and red teaming exercises. Due to its legitimate use case, it may not be flagged by security alerts.

**Tailored Lures Point to Cyber-Espionage Campaign**

Check Point researchers noted that the attacks had a focus on government institutions and law enforcement agencies in Southeast Asia, pointing to a cyber-espionage campaign with the goal of collecting intelligence for geopolitical goals.

The attackers appear to have tailored their lures to be as effectively targeted as possible, basing them around local political, economic or military developments in the country or region being targeted. Examples include government salary announcements and joint regional exercises.

The campaigns were designed to be highly controlled, with attack infrastructure configured to interact only with victims in specific target countries, limiting exposure beyond the intended targets and helping the campaign to remain secretive.

**Delivering Malicious Files via Phishing Emails**

Researchers concluded that the lures were delivered via phishing emails to the intended victims, directing them to the malicious WinRAR files being hosted on legitimate cloud storage services.

The tools, techniques and procedures used by the group dubbed Amarath-Dragon closely resemble those of APT 41, a prolific Chinese state-linked cyber-espionage and hacking group.

**The Campaign's Implications**

"The campaigns by Amaranth-Dragon exploiting the CVE-2025-8088 vulnerability highlight the recent trend of sophisticated threat actors rapidly weaponizing newly disclosed vulnerabilities," Check Point Research said in a blog post.

**Protecting Networks and Users from Malicious Attacks**

To help protect networks and users from malicious attacks, it's recommended that organizations, especially those in government and critical infrastructure sectors, should prioritize patching vulnerabilities and monitor for suspicious archive files.