Cybersecurity researchers have uncovered a surge in attacks leveraging SparkRAT, a cross-platform Remote Access Trojan (RAT) written in GoLang.
This open-source tool, initially released on GitHub in 2022, has become a favorite among hackers due to its modular design, multi-platform support, and rich feature set.
The cross-platform RAT, SparkRAT is now being actively deployed in campaigns targeting Windows, macOS, and Linux systems.
SparkRAT is a versatile malware capable of executing over 20 commands. It can manipulate files and processes, execute system commands, steal sensitive data, capture screenshots, and even perform actions like shutting down or restarting systems.
The malware communicates with its command-and-control (C2) server using the WebSocket protocol, which allows it to blend into legitimate network traffic.
Additionally, SparkRAT can automatically update itself by sending HTTP POST requests to its repository.
The malware’s default C2 configuration listens on port 8000, but this is often reconfigured by attackers.
Researchers at Hunt.io have identified specific HTTP response headers that can help detect SparkRAT servers.
.webp)
For instance, the C2 server typically responds with “HTTP/1.1 401 Unauthorized” and omits standard header fields like Server
and Content-Type
, providing a unique fingerprint for detection.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
Recent Campaigns and Techniques
One of the most notable campaigns involving SparkRAT is the DragonSpark operation, attributed to Chinese-speaking threat actors. These hackers have been targeting East Asian organizations since late 2022.
The campaign employs sophisticated evasion techniques, including Golang source code interpretation via the Yaegi framework. This method enables the execution of embedded source code at runtime, bypassing static analysis tools.
DragonSpark attackers exploit vulnerabilities in exposed MySQL databases and web servers to deploy SparkRAT alongside other tools like SharpToken and BadPotato for privilege escalation. They also use additional malware such as m6699.exe and ShellCode Loader to further their objectives.
In another recent incident observed in November 2024, hackers used fake meeting pages to deliver SparkRAT payloads to macOS users. The malware was distributed via open directories hosted on compromised servers in South Korea and Singapore.
.webp)
These directories contained malicious scripts that downloaded and executed SparkRAT binaries with elevated permissions.
Researchers have identified several IP addresses linked to SparkRAT activity:
- 152.32.138[.]108 (South Korea)
- 15.235.130[.]160 (Singapore)
- 51.79.218[.]159 (Singapore)
Files such as client.bin
(SHA-256: cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56) have been associated with these campaigns.
.webp)
To defend against SparkRAT, organizations should monitor for unusual WebSocket traffic patterns and deploy advanced endpoint detection solutions capable of identifying remote access trojan (RAT) behavior.
Regularly patching systems helps close vulnerabilities that could be exploited for initial access, while educating users about phishing tactics reduces the risk of malware delivery.
Collect Threat Intelligence with TI Lookup to improve your company’s security - Get 50 Free Request