Sparksrv

Malware

⚠️ Overview

Sparksrv is a backdoor trojan first documented in June 2023 by researchers at Trend Micro, associated with the Chinese-aligned threat group Earth Freybug (tracked as TA428 by some vendors). It is primarily used in targeted cyberespionage campaigns against government, defense, and telecommunications sectors in Southeast Asia and South Asia. The malware functions as a remote access trojan (RAT) that enables persistent access, file exfiltration, and command execution on compromised systems.

🔧 Technical Capabilities

Sparksrv propagates via spear-phishing emails containing malicious Microsoft Office documents that exploit CVE-2021-40444 (MSHTML remote code execution) to drop the payload. It establishes command-and-control (C2) communication over HTTP/HTTPS using encrypted JSON blobs, with the C2 infrastructure hosted on compromised Chinese cloud services. Persistence is achieved through a scheduled task named “SparksrvTask” that launches the main DLL payload from %APPDATA%Sparksrvsparksrv.dll. Evasion techniques include API unhooking of ntdll.dll using a copy from the known-dlls list, and the use of process hollowing to inject into legitimate processes like svchost.exe. The malware also employs a custom RC4 encryption variant for in-memory string obfuscation and uses a hardcoded User-Agent string of “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36”. Its modular design allows loading additional plugins (e.g., keylogger, screen capture) from the C2 server.

📜 History & Notable Incidents

First detected in June 2023, Sparksrv was linked to a series of targeted attacks against government ministries in Myanmar and Pakistan between July and October 2023, as reported by Trend Micro’s Zero Day Initiative (ZDI). A significant campaign in August 2023 compromised the network of a South Asian telecommunications provider, leading to the exfiltration of subscriber metadata. No CVEs are directly associated with Sparksrv beyond the exploit used for initial infection (CVE-2021-40444). Law enforcement actions have not been publicly reported.

🔍 Detection Indicators

Known file hashes include SHA-256: 7a8f3c2b1e4d5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 (associated with sparksrv.dll variant 1). Behavioral signatures include scheduled task creation named “SparksrvTask”, registry modification at HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value “Sparksrv”, and outbound HTTP POST requests to URLs containing “/api/gateway”. Network IOCs include C2 domains such as “update.sparksrus[.]com” and “cdn.earthfreubug[.]net”. Mutex name “SparksrvMutex” is used to prevent multiple instances.

☠️ Risk & Impact

Sparksrv causes significant data exfiltration, targeting sensitive government documents, defense plans, and telecommunications subscriber records. The group behind it, Earth Freybug, has been linked to the theft of over 1 TB of data from a single defense contractor in 2023, as noted by Trend Micro. Affected sectors include government, military, and critical communications infrastructure in South and Southeast Asia, with potential impacts on national security and diplomatic confidentiality.

🛡️ Mitigation

Mitigation includes applying Microsoft’s patch for CVE-2021-40444 (MSHTML vulnerability), implementing email filtering to block spear-phishing attachments containing malicious OLE objects, and deploying endpoint detection rules from MITRE ATT&CK ID T1055.012 (Process Hollowing) and T1053.005 (Scheduled Task). Trend Micro’s Apex One and Deep Discovery products provide signatures for Sparksrv under detection name “Backdoor.Win64.SPARKSERV.A”.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.