🇨🇳 🇹🇼 🇭🇰 🇸🇬 CN8 malware familiesExploits CVEs in the wild

DragonSpark

Also known asDragonSpark

DragonSpark is a cluster of opportunistic intrusions targeting organizations in East Asia. SentinelLABS assessed it is highly likely that a Chinese-speaking threat actor is behind the activity, but the reporting did not attribute it to a specific named group. The activity may support either espionage or cybercrime objectives. The campaign is characterized by consistent use of the open-source SparkRAT remote access trojan. Reporting describes DragonSpark as the first concrete malicious activity in which SentinelLABS observed sustained SparkRAT use. The actor also used Golang malware that interprets embedded Golang source code at runtime via Yaegi to hinder static analysis and evade detection, including the custom malware m6699.exe. Additional custom malware included ShellCode_Loader, a PyInstaller-packaged Python loader that decrypts and executes shellcode. Execution of both m6699.exe and ShellCode_Loader enabled Meterpreter sessions for remote command execution. Observed initial access involved compromises of Internet-exposed web servers and MySQL servers. On compromised web servers, China Chopper webshell activity was observed. After access, the actor conducted lateral movement, privilege escalation, and deployment of additional malware and tools from attacker-controlled infrastructure. DragonSpark relied heavily on open-source tools associated with Chinese-speaking developers or vendors, including SharpToken and BadPotato for privilege escalation and GotoHTTP for remote access, persistence, file transfer, and screen viewing. Kroll also reported ongoing campaigns using SPARKRAT with a previously undocumented Golang loader dubbed LESLIELOADER, which decodes and decrypts an embedded secondary payload and injects it into a suspended notepad.exe process. Kroll linked frequent SPARKRAT use to the DragonSpark campaign, but also noted LESLIELOADER is not exclusive to SPARKRAT. Infrastructure observed in the campaign included staging systems in Taiwan, Hong Kong, China, and Singapore, with command-and-control servers identified in Hong Kong and the United States. Known alias in the provided content: dragonspark.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

24 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics27 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

2 techniques

T1189

Drive-by Compromise

T1190

Exploit Public-Facing Application

TA0002

Execution

3 techniques

T1059

Command and Scripting Interpreter

T1059.001

PowerShell

T1059.006

Python

T1106

Native API

T1129

Shared Modules

TA0003

Persistence

1 technique

T1505

Server Software Component

T1505.003

Web Shell

TA0004

Privilege Escalation

2 techniques

T1055

Process Injection

T1548

Abuse Elevation Control Mechanism

TA0005

Stealth

5 techniques

T1027

Obfuscated Files or Information

T1055

Process Injection

T1070

Indicator Removal

T1070.004

File Deletion

T1140

Deobfuscate/Decode Files or Information

T1620

Reflective Code Loading

TA0007

Discovery

3 techniques

T1057

Process Discovery

T1082

System Information Discovery

T1083

File and Directory Discovery

TA0009

Collection

1 technique

T1113

Screen Capture

TA0011

Command and Control

4 techniques

T1071

Application Layer Protocol

T1071.001

Web Protocols

T1095

Non-Application Layer Protocol

T1105

Ingress Tool Transfer

T1219

Remote Access Tools

TA0040

Impact

1 technique

T1489

Service Stop

ARSENAL

Associated malware families

8 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

SparkRATThe attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation.2Mar 18, 2026

BadPotatoBadPotato: a tool similar to SharpToken that elevates user privileges to SYSTEM for command execution.1Mar 18, 2026

China ChopperAt compromised web servers, we observed use of the China Chopper webshell, recognizable by the &echo [S]&cd&echo [E] sequence in virtual terminal requests.1Mar 18, 2026

GotoHTTPGotoHTTP: a cross-platform remote access tool that implements a wide array of features, such as establishing persistence, file transfer, and screen view.1Mar 18, 2026

m6699.exeThe Golang malware m6699.exe uses the Yaegi framework to interpret at runtime encoded Golang source code stored within the compiled binary, executing the code as if compiled.1Mar 18, 2026

3 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2026-1731Pre-auth OS Command Injection RCE in BeyondTrust Remote Support and Privileged Remote AccessIn the wildEvidence1

A critical vulnerability in BeyondTrust’s remote support software is being actively exploited... The flaw, tracked as CVE-2026-1731... lets attackers run system commands with no login required... an OS command injection vulnerability (CWE-78) in the thin-scc-wrapper component, which is exposed directly to the network via WebSocket.

IOCS

Observables

19 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

19 IOCsView more in app

uri

6 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

hash.sha1

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

ip.v4

5 total

••••••••••••••••••••••••••••••••••••••••••••••••••

Domains

3 total

••••••.com•••••••.ru••••••••.com

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

sentinelone labsNews

Apr 11, 2025

DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation | SentinelOne

Opportunistic intrusions against organizations in East Asia involving SparkRAT, China Chopper, Golang malware using runtime Golang source code interpretation for evasion, lateral movement, privilege escalation, and deployment of additional tools and malware.

kroll blogNews

Mar 13, 2024

LeslieLoader Malware Sparkrat Cyber Risk Kroll

Campaign associated with use of SPARKRAT (and related tooling) in attacks against organizations in East Asia; observed using a previously undocumented Golang loader (“LESLIELOADER”) to decrypt, decode, and inject payloads (including SPARKRAT) into notepad.exe for execution and evasion.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping24

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal8

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables19

Domains, IPs, and hashes tied to this actor, refreshed continuously.