MalwareUsed by 1 actor

m6699.exe

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

DragonSpark

The Golang malware m6699.exe uses the Yaegi framework to interpret at runtime encoded Golang source code stored within the compiled binary, executing the code as if compiled.

via sentinelone labssentinelone.com

MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques

T1106Native APIEvidence1

ShellCode_Loader uses the Python ctypes library for accessing the Windows API to load the shellcode in memory and start a new thread that executes the shellcode.

T1129Shared ModulesEvidence1

The main purpose of m6699.exe is to execute a first-stage shellcode that implements a loader for a second-stage shellcode.

Privilege Escalation

1 technique

T1055Process InjectionEvidence1

“allocat[es] executable… heap memory… places the first-stage shellcode… and executes it.” / “ctypes… load the shellcode in memory and start a new thread”

Stealth

4 techniques

T1027Obfuscated Files or InformationEvidence1

The Golang malware m6699.exe uses the Yaegi framework to interpret at runtime encoded Golang source code stored within the compiled binary, executing the code as if compiled. This is a technique for hindering static analysis and evading detection by static analysis mechanisms.

T1055Process InjectionEvidence1

“allocat[es] executable… heap memory… places the first-stage shellcode… and executes it.” / “ctypes… load the shellcode in memory and start a new thread”

T1140Deobfuscate/Decode Files or InformationEvidence1

“The malware first Base-64 decodes and then decrypts the shellcode.” / “decodes before passing… for execution.”

T1620Reflective Code LoadingEvidence1

m6699.exe then evaluates the source code in the context of the Yaegi interpreter and uses Golang reflection to execute the run.Main function.

Command and Control

2 techniques

T1095Non-Application Layer ProtocolEvidence1

The first-stage shellcode implements a shellcode loader. The shellcode connects to a C2 server using the Windows Sockets 2 library and receives a 4-byte big value... The first-stage shellcode then receives from the C2 server the second-stage shellcode and executes it.

T1105Ingress Tool TransferEvidence1

After gaining access to environments, the threat actor conducted a variety of malicious activities, such as lateral movement, privilege escalation, and deployment of malware and tools hosted at attacker-controlled infrastructure.

INDICATORS OF COMPROMISE

IOCs tracked for this family

5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

3 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

hash.sha1●●●●●●●●●●●●View more in app1 year ago

ip.v4●●●●●●●●●●●●View more in app1 year ago

uri●●●●●●●●●●●●View more in app1 year ago

domain●●●●●●●●●●●●View more in app1 year ago

ip.v4●●●●●●●●●●●●View more in app1 year ago

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

sentinelone labsNews

Apr 11, 2025

DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation | SentinelOne

A Golang malware loader that uses Yaegi to interpret embedded Golang source at runtime to evade static analysis, then decodes and executes first-stage shellcode which retrieves and runs a second-stage shellcode from C2, enabling a Meterpreter session.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching5

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.