Spark RAT
Spark RAT is an open-source, multi-platform remote access trojan/backdoor capable of targeting Windows, Linux, and macOS systems. The provided content describes it as a RAT that gives operators a wide range of commands to control compromised devices, and notes the existence of a modified version that incorporated code from an open-source Go shellcode loader. Spark RAT has been deployed in multiple intrusion sets and campaigns by both state-linked and hacktivist actors. Reported users include the Pakistan-aligned SideCopy group in attacks targeting various sectors in India; the suspected Chinese espionage cluster RedNovember/Storm-2077, which used Spark RAT alongside Pantegana and delivered it via a LESLIELOADER variant after compromising vulnerable VPNs, firewalls, and other security solutions; FamousSparrow, which used a modified Spark RAT in post-compromise activity; UNK_ColtCentury/TAG-100/Storm-2077 in operations targeting legal personnel at a Taiwanese semiconductor organization; and the Cyber Anarchy Squad (C.A.S), which used Spark RAT in attacks against organizations in Russia and Belarus. Targeting associated with Spark RAT in the content includes government, defense, aerospace, legal services, semiconductor, financial-sector, and other organizations across India, Taiwan, the Americas, Asia, Africa, and Oceania. High-confidence infection and delivery details directly mentioned in the content include deployment through loaders, post-compromise installation after exploitation of edge devices such as VPNs and firewalls, and use as a remote-access payload in broader phishing and intrusion campaigns. No Spark RAT-specific indicators of compromise are directly provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Threat actors have been observed exploiting a recently disclosed critical security flaw impacting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products... The vulnerability, tracked as CVE-2026-1731 (CVSS score: 9.9), allows attackers to execute operating system commands in the context of the site user... Unit 42 said it detected the security flaw being actively exploited in the wild... CISA ... KEV ... confirm that the bug has been exploited in ransomware campaigns.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A loader for a version of the open-source Spark RAT that was modified to include code from an open-source Go shellcode loader.
...compromise of vulnerable VPNs, firewalls, and other security solutions with Pantegana and Spark RAT...
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
"Threat actors have been observed exploiting ... CVE-2026-1731 ... allows attackers to execute operating system commands in the context of the site user... leverage the affected 'thin-scc-wrapper' script that's reachable via WebSocket interface to inject and execute arbitrary shell commands"
Command and Control
2 techniques
Command and Control
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan referenced as one of multiple malware families used by the adversary in attacks targeting sectors in India.
Deployed following exploitation of CVE-2026-1731 as part of an intrusion chain involving web shells, C2, lateral movement, and data theft—consistent with a remote access trojan used to maintain interactive control of compromised environments.
RAT used in campaigns targeting Indian sectors (as described).
Spark RAT is an open-source remote access trojan/backdoor used by attackers for persistent access and control of compromised devices, including network edge appliances.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.