{ "id": "04c57705-de03-43e7-af13-8b2e7d072d25", "created_at": "2026-04-06T00:10:23.564228Z", "updated_at": "2026-04-10T13:11:26.508102Z", "deleted_at": null, "sha1_hash": "d70139fa6de74a04ccc4cf0f0050ab3091267dd1", "title": "SparkRAT (Malware Family)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52138, "plain_text": "SparkRAT (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 17:18:20 UTC\r\nSparkRAT\r\nSparkRAT is a cross-platform, open-source Remote Administration Tool (RAT) written in Go and released on\r\nGitHub in 2022. Compatible with Windows, macOS, and Linux systems, it offers extensive remote access\r\ncapabilities, including file and process management, file transfer, remote desktop monitoring, system information\r\ncollection, and command execution via terminal access.\r\nReferences\r\n2025-09-24 ⋅ The Hacker News ⋅\r\nChinese Hackers RedNovember Target Global Governments Using Pantegana and Cobalt Strike\r\nCobalt Strike Leslieloader Pantegana SparkRAT Storm-2077\r\n2025-01-28 ⋅ Hunt.io ⋅ Hunt.io\r\nSparkRAT: Server Detection, macOS Activity, and Malicious Connections\r\nSparkRAT\r\n2024-12-18 ⋅ Kaspersky Labs ⋅ Kaspersky\r\nAnalysis of Cyber Anarchy Squad attacks targeting Russian and Belarusian organizations\r\nBabuk LockBit Revenge RAT SparkRAT Cyber Alliance Ukrainian Cyber Alliance\r\n2024-11-13 ⋅ ClearSky ⋅ ClearSky\r\nCVE-2024-43451: A New Zero-Day Vulnerability Exploited in the wild\r\nSparkRAT UAC-0194\r\n2024-11-13 ⋅ ClearSky ⋅ ClearSky\r\nNew Zero-Day Vulnerability Detected: CVE-2024-43451\r\nSparkRAT\r\n2024-07-16 ⋅ Recorded Future ⋅ Insikt Group\r\nTAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies\r\nSparkRAT Storm-2077\r\n2023-09-05 ⋅ ⋅ AhnLab ⋅ Sanseo\r\nBlueShell malware used in APT attacks targeting Korea and Thailand\r\nBlueShell SparkRAT\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.spark_rat\r\nPage 1 of 2\n\n2023-05-18 ⋅ AhnLab ⋅ ASEC\r\nSparkRAT Being Distributed Within a Korean VPN Installer\r\nSparkRAT\r\n2023-03-28 ⋅ ExaTrack ⋅ ExaTrack\r\nMélofée: a new alien malware in the Panda's toolset targeting Linux hosts\r\nHelloBot Melofee Winnti Cobalt Strike SparkRAT STOWAWAY\r\n2023-01-24 ⋅ SentinelOne ⋅ Aleksandar Milenkoski\r\nDragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation\r\nSparkRAT DragonSpark\r\n2022-12-21 ⋅ Microsoft ⋅ Microsoft Security Threat Intelligence\r\nMicrosoft research uncovers new Zerobot capabilities\r\nZeroBot SparkRAT\r\n2022-03-16 ⋅ Github (XZB-1248) ⋅ XZB-1248\r\nGithub Repository for Spark RAT\r\nSparkRAT\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/win.spark_rat\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/win.spark_rat\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://malpedia.caad.fkie.fraunhofer.de/details/win.spark_rat" ], "report_names": [ "win.spark_rat" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "64a08f65-4ef8-4ad5-bac1-ce4e0fd2808c", "created_at": "2024-08-28T02:02:09.663698Z", "updated_at": "2026-04-10T02:00:04.927384Z", "deleted_at": null, "main_name": "TAG-100", "aliases": [ "Storm-2077" ], "source_name": "ETDA:TAG-100", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "CrossC2", "LESLIELOADER", "Pantegana", "SparkRAT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "4a73cb62-be05-49d2-9dbb-1298606ec0a3", "created_at": "2025-03-07T02:00:03.799095Z", "updated_at": "2026-04-10T02:00:03.827106Z", "deleted_at": null, "main_name": "Ukrainian Cyber Alliance", "aliases": [ "UCA" ], "source_name": "MISPGALAXY:Ukrainian Cyber Alliance", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4d5f939b-aea9-4a0e-8bff-003079a261ea", "created_at": "2023-01-06T13:46:39.04841Z", "updated_at": "2026-04-10T02:00:03.196806Z", "deleted_at": null, "main_name": "APT41", "aliases": [ "WICKED PANDA", "BRONZE EXPORT", "Brass Typhoon", "TG-2633", "Leopard Typhoon", "G0096", "Grayfly", "BARIUM", "BRONZE ATLAS", "Red Kelpie", "G0044", "Earth Baku", "TA415", "WICKED SPIDER", "HOODOO", "Winnti", "Double Dragon" ], "source_name": "MISPGALAXY:APT41", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "98cd3bc4-fd41-4087-be03-f6f8f3be7b67", "created_at": "2025-05-29T02:00:03.220566Z", "updated_at": "2026-04-10T02:00:03.871851Z", "deleted_at": null, "main_name": "Cyber Alliance", "aliases": [], "source_name": "MISPGALAXY:Cyber Alliance", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "dbcd2cc1-1adb-43cf-b175-a3ef4ee0d15e", "created_at": "2024-11-16T02:00:03.808384Z", "updated_at": "2026-04-10T02:00:03.767693Z", "deleted_at": null, "main_name": "UAC-0194", "aliases": [], "source_name": "MISPGALAXY:UAC-0194", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "235831df-8daf-4a88-945e-db4e7ef06ac6", "created_at": "2023-11-17T02:00:07.606121Z", "updated_at": "2026-04-10T02:00:03.458263Z", "deleted_at": null, "main_name": "DragonSpark", "aliases": [], "source_name": "MISPGALAXY:DragonSpark", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2a24d664-6a72-4b4c-9f54-1553b64c453c", "created_at": "2025-08-07T02:03:24.553048Z", "updated_at": "2026-04-10T02:00:03.787296Z", "deleted_at": null, "main_name": "BRONZE ATLAS", "aliases": [ "APT41 ", "BARIUM ", "Blackfly ", "Brass Typhoon", "CTG-2633", "Earth Baku ", "GREF", "Group 72 ", "Red Kelpie ", "TA415 ", "TG-2633 ", "Wicked Panda ", "Winnti" ], "source_name": "Secureworks:BRONZE ATLAS", "tools": [ "Acehash", "CCleaner v5.33 backdoor", "ChinaChopper", "Cobalt Strike", "DUSTPAN", "Dicey MSDN", "Dodgebox", "ForkPlayground", "HUC Proxy Malware (Htran)" ], "source_id": "Secureworks", "reports": null }, { "id": "c26ba56b-628e-4610-b167-1610efb08459", "created_at": "2024-02-22T02:00:03.77679Z", "updated_at": "2026-04-10T02:00:03.594516Z", "deleted_at": null, "main_name": "Cyber.Anarchy.Squad", "aliases": [ "Cyber Anarchy Squad" ], "source_name": "MISPGALAXY:Cyber.Anarchy.Squad", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99aa0795-8936-45db-a397-6d01131fcdcd", "created_at": "2023-02-18T02:04:24.085379Z", "updated_at": "2026-04-10T02:00:04.654299Z", "deleted_at": null, "main_name": "DragonSpark", "aliases": [], "source_name": "ETDA:DragonSpark", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "GotoHTTP", "SharpToken", "SinoChopper", "SparkRAT" ], "source_id": "ETDA", "reports": null }, { "id": "db5b833a-965e-4f46-b75d-7e829466a5fa", "created_at": "2024-12-21T02:00:02.843374Z", "updated_at": "2026-04-10T02:00:03.780907Z", "deleted_at": null, "main_name": "Storm-2077", "aliases": [ "TAG-100", "RedNovember" ], "source_name": "MISPGALAXY:Storm-2077", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434223, "ts_updated_at": 1775826686, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d70139fa6de74a04ccc4cf0f0050ab3091267dd1.pdf", "text": "https://archive.orkl.eu/d70139fa6de74a04ccc4cf0f0050ab3091267dd1.txt", "img": "https://archive.orkl.eu/d70139fa6de74a04ccc4cf0f0050ab3091267dd1.jpg" } }