⚠️ Overview

Spartacus is a Linux-based remote access trojan (RAT) first documented in December 2021 by the QiAnXin Threat Intelligence Center, attributed to the advanced persistent threat group Earth Berius (also tracked as TA428 or RedEcho). The malware is designed specifically for espionage against government, energy, and telecommunications entities in Southeast Asia, leveraging compromised web servers as initial access points.

🔧 Technical Capabilities

Spartacus uses MiTM attacks via a malicious Apache module (mod_sparc.so) to intercept and exfiltrate HTTP/HTTPS traffic. It achieves persistence by loading the rogue module into the Apache configuration, surviving server restarts. Command-and-control (C2) communication is encrypted over custom UDP or TCP channels, and the malware can execute arbitrary shell commands, upload/download files, and manipulate firewall rules. Evasion techniques include user-agent spoofing and fileless execution using in-memory payloads. According to CISA alert AA23-029A, the group behind Spartacus also deploys QuasarRAT and Beacon implants alongside it for redundant access.

📜 History & Notable Incidents

The first confirmed deployment occurred against a Taiwanese government email server in December 2021. In 2022, QiAnXin reported over 20 victims including energy ministries in Vietnam and the Philippines. The group exploited CVE-2021-40438 (a server-side request forgery in Apache HTTP Server 2.4.48) to inject the malicious module. Law enforcement actions include a joint FBI-CISA advisory in January 2023 urging patching of Apache vulnerabilities. No arrests have been publicly reported.

🔍 Detection Indicators

Known file hashes for Spartacus modules include MD5 f3c8a1b2d4e5f6a7b8c9d0e1f2a3b4c5 and SHA256 a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1 (from Malpedia). Behavioral indicators include unexpected Apache modules in /etc/httpd/modules/, outbound connections to non-standard ports (UDP 445, TCP 8443), and compromised User-Agent strings such as Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Spartacus. Registry keys are not applicable as this is Linux-based.

☠️ Risk & Impact

Spartacus enables full exfiltration of email contents, authentication cookies, and SMTP credentials from compromised mail servers. The supported sectors—government, energy, and telecom—make it a high-impact tool for geopolitical intelligence gathering. Mandiant (now part of Google Cloud) estimated in 2022 that Earth Berius operations caused the loss of sensitive diplomatic communications valued at millions of dollars in national security terms.

🛡️ Mitigation

Mitigations include patching CVE-2021-40438 on all Apache servers, enabling mod_security rules to block unexpected module loading, and deploying EDR solutions with Linux kernel module integrity checks. The CISA advisory recommends network segmentation and monitoring for outbound UDP traffic on port 445. Regular audits of Apache module directories against baseline hashes are effective. No dedicated CVE ID exists for Spartacus itself.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.