{ "id": "3aa62c1a-396d-4ca1-be62-6b130ad7aa10", "created_at": "2026-04-06T00:09:23.197862Z", "updated_at": "2026-04-10T03:34:17.34863Z", "deleted_at": null, "sha1_hash": "ff1eaa8b5207bde7a085f49aef5f6b44722c8012", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48424, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 22:24:21 UTC\n APT group: DragonSpark\nNames DragonSpark (SentinelLabs)\nCountry China\nMotivation Information theft and espionage\nFirst seen 2022\nDescription\n(SentinelLabs) SentinelLabs has been monitoring recent attacks against East Asian\norganizations we track as ‘DragonSpark’. The attacks are characterized by the use of the little\nknown open source SparkRAT and malware that attempts to evade detection through Golang\nsource code interpretation.\nThe DragonSpark attacks represent the first concrete malicious activity where we observe the\nconsistent use of the open source SparkRAT, a relatively new occurrence on the threat\nlandscape. SparkRAT is multi-platform, feature-rich, and frequently updated with new\nfeatures, making the RAT attractive to threat actors.\nThe Microsoft Security Threat Intelligence team reported in late December 2022 on\nindications of threat actors using SparkRAT. However, we have not observed concrete\nevidence linking DragonSpark to the activity documented in the report by Microsoft.\nWe observed that the threat actor behind the DragonSpark attacks uses Golang malware that\ninterprets embedded Golang source code at runtime as a technique for hindering static analysis\nand evading detection by static analysis mechanisms. This uncommon technique provides\nthreat actors with yet another means to evade detection mechanisms by obfuscating malware\nimplementations.\nObserved\nTools used BadPotato, China Chopper, GotoHTTP, SharpToken, SparkRAT.\nInformation\nLast change to this card: 15 February 2023\nDownload this actor card in PDF or JSON format\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=dae132d6-19c7-422d-9c36-0c71ff4aecf3\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=dae132d6-19c7-422d-9c36-0c71ff4aecf3\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=dae132d6-19c7-422d-9c36-0c71ff4aecf3\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=dae132d6-19c7-422d-9c36-0c71ff4aecf3" ], "report_names": [ "showcard.cgi?u=dae132d6-19c7-422d-9c36-0c71ff4aecf3" ], "threat_actors": [ { "id": "235831df-8daf-4a88-945e-db4e7ef06ac6", "created_at": "2023-11-17T02:00:07.606121Z", "updated_at": "2026-04-10T02:00:03.458263Z", "deleted_at": null, "main_name": "DragonSpark", "aliases": [], "source_name": "MISPGALAXY:DragonSpark", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99aa0795-8936-45db-a397-6d01131fcdcd", "created_at": "2023-02-18T02:04:24.085379Z", "updated_at": "2026-04-10T02:00:04.654299Z", "deleted_at": null, "main_name": "DragonSpark", "aliases": [], "source_name": "ETDA:DragonSpark", "tools": [ "BadPotato", "CHINACHOPPER", "China Chopper", "GotoHTTP", "SharpToken", "SinoChopper", "SparkRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434163, "ts_updated_at": 1775792057, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ff1eaa8b5207bde7a085f49aef5f6b44722c8012.pdf", "text": "https://archive.orkl.eu/ff1eaa8b5207bde7a085f49aef5f6b44722c8012.txt", "img": "https://archive.orkl.eu/ff1eaa8b5207bde7a085f49aef5f6b44722c8012.jpg" } }