Since its initial release on GitHub in 2022 by user XZB-1248, SparkRAT has evolved into a widely used tool for cybercriminals due to its modular design, web-based interface, and cross-platform support for Windows, macOS, and Linux. The malware has been deployed in post-exploitation campaigns, including attacks leveraging CVE-2024-27198, and has been linked to cyber espionage operations targeting government organizations.
A recent Hunt.io investigation reveals that this malware continues to be actively used in cyber campaigns, particularly against macOS users, as part of a suspected DPRK operation.
SparkRAT, written in Golang, uses WebSockets to establish connections with its Command-and-Control (C2) servers, followed by HTTP-based upgrade checks via POST requests.
By default, the C2 server listens on port 8000, providing a clear fingerprint for threat researchers tracking active deployments. However, the malware allows easy configuration changes, making detection a challenge.
“SparkRAT employs HTTP Basic Authentication to restrict access to its C2 server panel, which requires a username/password to be created in the configuration file to proceed.”
When accessing a suspected SparkRAT panel, certain HTTP response headers serve as detection indicators:
- HTTP/1.1 401 Unauthorized
- Www-Authenticate: Basic realm=Authorization Required
- Content-Length: 0
Additionally, a POST request to /api/client/update?arch=* results in a 400 HTTP response with a JSON body containing:
‘{“code”:-1,”msg”:”${i18n|COMMON.INVALID_PARAMETER}”}’
These patterns have been instrumental in identifying new SparkRAT deployments worldwide.
In November 2024, researchers Germán Fernández (@1ZRR4H) and Chris Duggan (@TLP_R3D) highlighted an ongoing SparkRAT campaign using fake meeting pages and compromised domains. Leveraging Hunt.io’s Active C2 scans, additional three servers hosting SparkRAT implants were identified, confirming that the campaign remains active.
“Unlike the previously reported activity, we observed no meeting-related domains or web pages. Additionally, at least one of the open directories used a different path to deliver SparkRAT than previously documented.”
Hunt.io’s investigation uncovered multiple active SparkRAT servers across different locations. These servers hosted open directories containing malicious files such as client.bin and bash scripts (dev.sh, test.sh) designed to download and execute SparkRAT payloads.
- IP: 152.32.138[.]108 (South Korea) – Hosted SparkRAT implants, linked to DPRK infrastructure.
- IP: 15.235.130[.]160 (Singapore) – Active SparkRAT C2 operating on port 8000.
- IP: 118.194.249[.]38 (Hong Kong) – Associated with multiple malicious domains.
At 152.32.138[.]108, an Apache HTTPD server was found hosting SparkRAT payloads, including a Mach-O binary (client.bin) designed for macOS systems. Upon execution, the malware drops a persistence file (com.second.startup.plist) in /Users/run, ensuring execution every 10 minutes.
“The malware attempts multiple TCP connections to 51.79.218[.]159:8000, an OVH SAS server located in Singapore.”
Another SparkRAT variant at 15.235.130[.]160 used a newer binary (SHA-256: 52277d43d2f5e8fa8c856e1c098a1ff260a956f0598e16c8fb1b38e3a9374d15) but followed a similar execution pattern.
“The APK makes a GET request to http://one68[.]top/client, and the server responds with HTTP 101 Switching Protocols indicating an upgrade to a WebSocket connection.”
To obfuscate its infrastructure, the attackers leveraged CloudFlare-based protections, making direct attribution and takedown efforts more challenging.
Despite recent detections, SparkRAT remains a persistent threat, thanks to its modularity, cross-platform capabilities, and ability to evade detection. Hunt.io’s team is actively monitoring new SparkRAT infrastructure to disrupt cyber operations.
Related Posts:
- Stealthy New Loader Helps SPARKRAT Malware Evade Detection
- TAG-100’s Global Espionage Campaign: Exploiting Open-Source Tools
- Trusted Name Weaponized: Sliver and Ligolo-ng Attack Leverages Y Combinator Brand
