{ "id": "45dbd092-e680-424d-a797-9da84c63cef3", "created_at": "2026-04-06T00:22:36.57535Z", "updated_at": "2026-04-10T13:11:44.741339Z", "deleted_at": null, "sha1_hash": "52a08d3cbf2a1327f357fa0c77c7082b96e9492c", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50943, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 15:08:35 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool SparkRAT\n Tool: SparkRAT\nNames SparkRAT\nCategory Tools\nType Backdoor\nDescription\n(SentinelLabs) SparkRAT is a RAT developed in Golang and released as open source software\nby the Chinese-speaking developer XZB-1248. SparkRAT is a feature-rich and multi-platform\ntool that supports the Windows, Linux, and macOS operating systems.\nSparkRAT uses the WebSocket protocol to communicate with the C2 server and features an\nupgrade system. This enables the RAT to automatically upgrade itself to the latest version\navailable on the C2 server upon startup by issuing an upgrade request. This is an HTTP POST\nrequest, with the commit query parameter storing the current version of the tool.\nInformation\nMalpedia Last change to this tool card: 22 June 2023\nDownload this tool card in JSON format\nAll groups using tool SparkRAT\nChanged Name Country Observed\nAPT groups\n DragonSpark 2022\n TAG-100 2024\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b566744a-fe14-45fd-83f9-7ccbf4325fac\nPage 1 of 2\n\n2 groups listed (2 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b566744a-fe14-45fd-83f9-7ccbf4325fac\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b566744a-fe14-45fd-83f9-7ccbf4325fac\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b566744a-fe14-45fd-83f9-7ccbf4325fac" ], "report_names": [ "listgroups.cgi?u=b566744a-fe14-45fd-83f9-7ccbf4325fac" ], "threat_actors": [ { "id": "64a08f65-4ef8-4ad5-bac1-ce4e0fd2808c", "created_at": "2024-08-28T02:02:09.663698Z", "updated_at": "2026-04-10T02:00:04.927384Z", "deleted_at": null, "main_name": "TAG-100", "aliases": [ "Storm-2077" ], "source_name": "ETDA:TAG-100", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "CrossC2", "LESLIELOADER", "Pantegana", "SparkRAT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "235831df-8daf-4a88-945e-db4e7ef06ac6", "created_at": "2023-11-17T02:00:07.606121Z", "updated_at": "2026-04-10T02:00:03.458263Z", "deleted_at": null, "main_name": "DragonSpark", "aliases": [], "source_name": "MISPGALAXY:DragonSpark", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99aa0795-8936-45db-a397-6d01131fcdcd", "created_at": "2023-02-18T02:04:24.085379Z", "updated_at": "2026-04-10T02:00:04.654299Z", "deleted_at": null, "main_name": "DragonSpark", "aliases": [], "source_name": "ETDA:DragonSpark", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "GotoHTTP", "SharpToken", "SinoChopper", "SparkRAT" ], "source_id": "ETDA", "reports": null }, { "id": "db5b833a-965e-4f46-b75d-7e829466a5fa", "created_at": "2024-12-21T02:00:02.843374Z", "updated_at": "2026-04-10T02:00:03.780907Z", "deleted_at": null, "main_name": "Storm-2077", "aliases": [ "TAG-100", "RedNovember" ], "source_name": "MISPGALAXY:Storm-2077", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434956, "ts_updated_at": 1775826704, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/52a08d3cbf2a1327f357fa0c77c7082b96e9492c.pdf", "text": "https://archive.orkl.eu/52a08d3cbf2a1327f357fa0c77c7082b96e9492c.txt", "img": "https://archive.orkl.eu/52a08d3cbf2a1327f357fa0c77c7082b96e9492c.jpg" } }