{
	"id": "f9d8a742-91c8-4ab6-9fe0-9cf23d6489e2",
	"created_at": "2026-04-06T00:15:47.978654Z",
	"updated_at": "2026-04-10T13:12:36.179421Z",
	"deleted_at": null,
	"sha1_hash": "e42648419ee1a50a5f5da659c116980e7d847202",
	"title": "SparkRAT Being Distributed Within a Korean VPN Installer - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4142225,
	"plain_text": "SparkRAT Being Distributed Within a Korean VPN Installer -\r\nASEC\r\nBy ATCP\r\nPublished: 2023-05-02 · Archived: 2026-04-05 13:46:51 UTC\r\nAhnLab Security Emergency response Center (ASEC) has recently discovered SparkRAT being distributed within\r\nthe installer of a certain VPN program. SparkRAT is a Remote Administration Tool (RAT) developed with\r\nGoLang. When installed on a user’s system, it can perform a variety of malicious behaviors, such as executing\r\ncommands remotely, controlling files and processes, downloading additional payloads, and collecting information\r\nfrom the infected system like by taking screenshots.\r\n1. Case of Distribution\r\nThe VPN provider, whose installer contained SparkRAT appears to have been in operation since the past, as seen\r\nin the signed certificates of the files and notices on their official website. Therefore, it is clear that the current\r\nwebsite was not created specifically for distributing malware as the distribution of an installer with malware inside\r\nof it was discovered recently.\r\nFigure 1. Official website of the VPN containing SparkRAT\r\nThe installer is only available in Korean, but the official website of the VPN supports English, Chinese, and\r\nJapanese. According to their notice, it can be assumed that many people in China install the program to ensure\r\nsmooth Internet access. In fact, even in our own AhnLab Smart Defense (ASD) logs, we have observed a higher\r\nnumber of installations from users in China compared to Korea.\r\nhttps://asec.ahnlab.com/en/52899/\r\nPage 1 of 9\n\nFigure 2. Process tree\r\nThe file downloaded from the official website is not the previously confirmed installer, but rather a dropper\r\ncreated using .NET. The dropper has the original VPN installer and the malware stored in its resources. When\r\nexecuted, it generates the malware in the path %LOCALAPPDATA%\\Syservices\\svchost.exe before launching it.\r\nFigure 3. Malware and installer saved in resources\r\nIn addition, since the original VPN installer is created and launched along with the malware, it is difficult for users\r\nto recognize that malware had been installed, and are led to believe that the VPN installer was executed without\r\nissue. Furthermore, the malware is registered in the task scheduler to ensure it will be executed even after system\r\nreboots.\r\nhttps://asec.ahnlab.com/en/52899/\r\nPage 2 of 9\n\nFigure 4. Generated files and the executed VPN installer\r\nThe malware created under the name “svchost.exe” is also a dropper. It bears similarities to the aforementioned\r\ndropper in that it contains SparkRAT within its resources. Its function is to generate the malware as “svch.exe” in\r\nthe same directory and execute it.\r\nFigure 5. Similarly structured dropper that creates SparkRAT\r\n2. SparkRAT\r\nhttps://asec.ahnlab.com/en/52899/\r\nPage 3 of 9\n\nSparkRAT is an open-source RAT malware that is publicly available on GitHub. Notable for being developed with\r\nGoLang, SparkRAT provides basic features commonly found in RAT malware, such as executing commands,\r\nstealing information, and controlling processes and files.\r\nFigure 6. SparkRAT source code publicly available on GitHub\r\nDue to its support for various platforms, the GoLang is commonly used to develop malware that targets not only\r\nWindows but also Linux and MacOS. Similarly, SparkRAT supports all three operating systems and provides\r\ncategorized features based on each platform, as shown in the following table.\r\nhttps://asec.ahnlab.com/en/52899/\r\nPage 4 of 9\n\nFigure 7. Features offered for each platform\r\nAs shown in the above GitHub page, another notable feature of SparkRAT is its support for the Chinese language.\r\nThe developer is also known for their ability to use Chinese. [1] In the past, SentinelOne had covered the\r\nDragonSpark attack campaign that used SparkRAT and made the assumption that the threat actors were fluent in\r\nChinese. While it is not possible to identify the specific threat actor, it is worth noting that the VPN used in the\r\ncurrent attack is also a program commonly used in China.\r\nhttps://asec.ahnlab.com/en/52899/\r\nPage 5 of 9\n\nThe SparkRAT used in the attacks was not obfuscated, making it easy to distinguish based on the used function\r\nnames. SparkRAT decrypts the configuration data and retrieves information such as the C\u0026C address and port\r\nnumber from the initialization function, main.init().\r\nFigure 8. SparkRAT that has not been obfuscated\r\nFigure 9. Decrypted configuration data of SparkRAT\r\nAdditionally, while checking related files through the company’s ASD logs, ASEC discovered additional malware\r\nthrough the installer malware believed to be this VPN. These malware samples are suspected to have been\r\ndistributed around the same time and are notable for their use of SparkRAT based on x86 architecture.\r\nhttps://asec.ahnlab.com/en/52899/\r\nPage 6 of 9\n\nFigure 10. Configuration data of x86 SparkRAT\r\nIn addition, while the x64 version of SparkRAT used the https protocol, the x86 version used http, which allows\r\nthe following unencrypted packets to be observed.\r\nFigure 11. Packet communication of x86 SparkRAT\r\n3. Conclusion\r\nhttps://asec.ahnlab.com/en/52899/\r\nPage 7 of 9\n\nASEC has recently confirmed cases where SparkRAT was distributed within VPN installers. It is suspected that\r\nthe threat actor hacked a legitimate VPN service to distribute their malware. When users download and install the\r\nmalicious installer from the official website, the installer not only installs SparkRAT but also the original VPN\r\ninstaller, rendering it difficult for users to notice that they have been infected by malware. Users must practice\r\ncaution by updating V3 to the latest version to block malware infection in advance.\r\nFile Detection\r\n– Dropper/Win.Agent.C5421402 (2023.05.03.00)\r\n– Trojan/Win.Malware-gen.R557808 (2023.02.11.01)\r\n– Dropper/Win.Agent.C5421380 (2023.05.03.00)\r\n– Trojan/Win.Generic.C5228761 (2022.08.28.00)\r\n– Dropper/Win.SparkRAT.C5421465 (2023.05.03.01)\r\n– Backdoor/Win.SparkRAT.C5421466 (2023.05.03.01)\r\nMD5\r\n2e3ce7d90d988e1b0bb7ffce1731b04b\r\n54dd763bca743cbdbdfe709d9ab1d0db\r\n5b78c44262ebcb4ce52e75c331683b5b\r\n7923f9e0e28ceecdb34e924f2c04cda0\r\na5950704dfa60ba5362ec4a8845c25b2\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttp[:]//59[.]22[.]167[.]217[:]34646/\r\nhttps[:]//gwekekccef[.]webull[.]day/\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/52899/\r\nPage 8 of 9\n\nSource: https://asec.ahnlab.com/en/52899/\r\nhttps://asec.ahnlab.com/en/52899/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://asec.ahnlab.com/en/52899/"
	],
	"report_names": [
		"52899"
	],
	"threat_actors": [
		{
			"id": "235831df-8daf-4a88-945e-db4e7ef06ac6",
			"created_at": "2023-11-17T02:00:07.606121Z",
			"updated_at": "2026-04-10T02:00:03.458263Z",
			"deleted_at": null,
			"main_name": "DragonSpark",
			"aliases": [],
			"source_name": "MISPGALAXY:DragonSpark",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "99aa0795-8936-45db-a397-6d01131fcdcd",
			"created_at": "2023-02-18T02:04:24.085379Z",
			"updated_at": "2026-04-10T02:00:04.654299Z",
			"deleted_at": null,
			"main_name": "DragonSpark",
			"aliases": [],
			"source_name": "ETDA:DragonSpark",
			"tools": [
				"BadPotato",
				"CHINACHOPPER",
				"China Chopper",
				"GotoHTTP",
				"SharpToken",
				"SinoChopper",
				"SparkRAT"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434547,
	"ts_updated_at": 1775826756,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e42648419ee1a50a5f5da659c116980e7d847202.pdf",
		"text": "https://archive.orkl.eu/e42648419ee1a50a5f5da659c116980e7d847202.txt",
		"img": "https://archive.orkl.eu/e42648419ee1a50a5f5da659c116980e7d847202.jpg"
	}
}