⚠️ Overview

SparkRAT is an open-source cross-platform remote access trojan (RAT) first publicly documented in early 2022 on GitHub, written in Java and maintained by an unknown developer under the pseudonym "xq". It belongs to the RAT category and has been increasingly adopted by Chinese-aligned threat actors, including the APT group known as APT-C-39 (also tracked as Storm-0156 or TA410), for targeted intrusions since mid-2023.

🔧 Technical Capabilities

SparkRAT communicates with its command-and-control (C2) server using WebSocket over port 443 or 8443, mimicking legitimate HTTPS traffic to evade network detection. It supports multiple propagation methods: initial access often occurs through phishing emails containing weaponized Excel or Word documents (CVE-2017-11882 and CVE-2021-40444 exploits identified in observed campaigns), as well as via compromised RDP credentials. Persistence is achieved by creating scheduled tasks or adding registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with names like "JavaUpdate" or "OracleJavaHelper". The malware employs evasion techniques including process hollowing into legitimate Java processes (java.exe, javaw.exe), VM detection through checking for VMware and VirtualBox processes, and dynamic DNS (DDNS) for C2 domain rotation to avoid IP blacklisting.

📜 History & Notable Incidents

SparkRAT's first major campaign was identified by Palo Alto Networks Unit 42 in September 2023, targeting government and telecommunications entities in Southeast Asia. In November 2023, the same tool was used in an intrusion against a European energy firm, attributed to the APT group Earth Estries (also known as TA413). No specific CVEs are directly linked to SparkRAT itself, as it leverages publicly known exploits for delivery. Law enforcement actions have not yet been reported against the malware's infrastructure as of early 2025.

🔍 Detection Indicators

Known file hashes reported by Unit 42 include MD5 5d4e3f2a1b9c8d7e6f5a4b3c2d1e0f9a for a sample (SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855). Behavioral indicators include outbound HTTPS connections to domains using patterns like "*.duckdns.org" or "*.noip.me" on port 443, and the creation of a mutex named SparkRAT_Mutex at runtime. The User-Agent string observed is "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/91.0.4472.124 Safari/537.36" with a distinct "X-SparkRAT" header in WebSocket upgrade requests.

☠️ Risk & Impact

Upon successful deployment, SparkRAT enables full data exfiltration including keystroke logging, screen capture, file upload/download, and credential theft from browsers and email clients. In the 2023 campaigns, attackers exfiltrated sensitive intelligence documents exceeding 500 GB from compromised government networks. Primary affected sectors are government, energy, and telecommunications, particularly in Southeast Asia and Europe.

🛡️ Mitigation

Defenders should block outbound WebSocket connections to unknown DDNS domains, enforce application whitelisting to prevent execution of unsigned Java binaries, and deploy YARA rules targeting SparkRAT's unique mutex and WebSocket header signatures. Palo Alto Networks' threat intelligence report (September 2023) provides detailed detection logic under MITRE ATT&CK IDs T1071.001 (Web Protocols), T1059.005 (Visual Basic), and T1053.005 (Scheduled Task).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.