Spear-phishing via weaponized ZIP/RAR archives
Exploitation of CVE-2025-8088 (WinRAR path traversal/RCE)
DLL Sideloading via legitimate signed executables
Amaranth Loader (custom 64-bit DLL)
In-memory execution of Havoc C2 Framework
TGAmaranth RAT (Telegram-based C2)
Geofencing of C2 infrastructure to target-country IP ranges
Cloudflare-masked infrastructure
Lures timed to local political events and government decrees