SparkRAT
SparkRAT is an open-source, Go-based remote access trojan/backdoor first seen in 2023 and developed by the Chinese-speaking developer XZB-1248. It is cross-platform, with variants or support for Windows, Linux, and macOS, and communicates with command-and-control infrastructure over WebSocket. Reported capabilities include direct command execution and command-line interaction, file upload and download, system fingerprinting, file and process manipulation, system manipulation, and information theft; some reporting also describes it as an infostealer. The malware includes an automatic upgrade mechanism that sends an HTTP POST request containing a commit query parameter representing the current version. Multiple reports note per-target SparkRAT builds distinguished by differing ldflags COMMIT values.
SparkRAT has been consistently associated with several intrusion clusters and campaigns. SentinelLABS described the DragonSpark activity in East Asia as the first concrete malicious campaign showing consistent use of SparkRAT and assessed the operator as a Chinese-speaking threat actor. SparkRAT was also reported in activity linked to Webworm, RedNovember, TAG-140, and TGR-STA-1030/UNC6619, and has been referenced in various Chinese-linked campaigns. In TGR-STA-1030 reporting, SparkRAT appeared alongside Cobalt Strike, VShell, Havoc, and Sliver; in TAG-140 reporting it was one of several RAT payloads used against Indian targets.
Observed delivery and execution methods vary by campaign. Kroll documented a Golang loader named LESLIELOADER used to decode, decrypt, and inject SparkRAT into a suspended notepad.exe process; the loader used Base64 decoding and AES-192 decryption with the key string "LeslieCheungKwok," and in one case attempted to beacon to 209.141.50[.]215:443. Other reporting states LESLIELOADER downloaded SparkRAT, and Huntress observed SparkRAT deployed after exploitation of IIS web application flaws. SparkRAT has also been deployed in exploitation of public-facing vulnerabilities, including Apache ActiveMQ CVE-2023-46604 and BeyondTrust Remote Support / Privileged Remote Access CVE-2026-1731.
In the BeyondTrust CVE-2026-1731 exploitation wave, multiple sources reported SparkRAT and VShell being deployed after unauthenticated OS command injection against internet-exposed remote access appliances. Affected sectors included financial services, technology, higher education, legal services, healthcare, retail, and other organizations across the United States, France, Germany, Australia, and Canada. Post-exploitation activity in those cases included reconnaissance, web shell deployment, persistence, lateral movement, remote management tool installation, tunneling, and in some cases data theft.
High-confidence indicators and technical details directly mentioned in the content include SparkRAT’s WebSocket C2, cross-platform support, open-source Go implementation, DragonSpark-linked usage, per-victim COMMIT-tagged builds, and one observed DragonSpark sample version built from commit 6920f726d74efb7836a03d3acfc0f23af196765e on 2022-11-01 UTC.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The vulnerability, tracked as CVE-2026-1731, is an operating system command injection flaw that also impacts some older versions of BeyondTrust Privileged Remote Access. The flaw allows an attacker to execute arbitrary commands on a server without the need for credentials or any user interaction. | A critical vulnerability in BeyondTrust Remote Support is facing an increase in threat activity, with hackers deploying SparkRAT and vShell backdoors and using remote management tools to conduct reconnaissance...
ClearSky Cyber Security has uncovered a new zero-day vulnerability, CVE-2024-43451, actively exploited in the wild, targeting Windows systems primarily in Ukraine. This flaw enables attackers to exploit URL files for malicious activity by performing actions as simple as a single right-click.
Groups observed using it
8 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Sandbox family search for family:sparkrat . Returned a per-victim SparkRAT sibling submitted independently to the sandbox. Its ldflags COMMIT differs from the case sample. Confirms the operator uses per-target SparkRAT builds.
The initial analysis showed that the ZIP files downloaded were installing SparkRAT on some systems, while later variations utilized Redline Stealer.
...Leslieloader that downloads a backdoor dubbed SparkRAT. The Go variants are compliant with Windows, Linux and OSX. They support file upload and download, system fingerprinting and direct command-line interaction with infected hosts.
"...including CurlBack, SparkRAT, AresRAT, Xeno RAT, AllaKore, and ReverseRAT."
The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation.
...UNK_ColtCentury... likely an attempt to deploy the SparkRAT backdoor.
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
A critical vulnerability in BeyondTrust Remote Support is facing an increase in threat activity ... Multiple BeyondTrust Remote Support users have been confirmed targets ... The flaw allows an attacker to execute arbitrary commands on a server without the need for credentials or any user interaction.
Execution
4 techniques
Execution
This version supports 26 commands... including execution of arbitrary Windows system and PowerShell commands.
This version supports 26 commands that implement a wide range of functionalities: Command execution: including execution of arbitrary Windows system and PowerShell commands.
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
1 technique
Stealth
Discovery
3 techniques
Discovery
Information theft: including exfiltration of platform information... and process and file enumeration.
Lateral Movement
2 techniques
Lateral Movement
Collection
1 technique
Collection
Command and Control
4 techniques
Command and Control
"Among the tools put to use by the threat actor are command-and-control (C2) frameworks... Cobalt Strike, VShell, Havoc, Sliver, and SparkRAT"
SparkRAT uses the WebSocket protocol to communicate with the C2 server and features an upgrade system.
IOCs tracked for this family
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
32 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access trojan observed in exploitation activity targeting a BeyondTrust critical vulnerability (CVE-2026-1731).
Remote access trojan observed in exploitation activity against BeyondTrust (CVE-2026-1731) per the content.
Remote access trojan used to provide interactive remote control of compromised hosts as part of post-exploitation activity.
Cross-platform Go-based remote access trojan (open source) with modular capabilities including remote shell access, file management, command execution, and encrypted command-and-control communications; observed deployed post-exploitation after BeyondTrust CVE-2026-1731 compromise.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.