3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
XZB-1248

XZB-1248

ID: 65a5a149bc3f6f242c762a8da38cf8cc41455
Cybercrime Cybercriminal Malware Dev
Threat types: Malware, RAT
China
Updated: 2026-03-14
Created: 2026-02-23
Progress: 73% Completeness: 74% Freshness: 70%
Operation zone:
Aliases Limited alias preview
1248
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

XZB-1248 is a public developer handle associated with the open-source SparkRAT project (XZB-1248/Spark). SparkRAT is a Go-based, cross-platform RAT used by multiple downstream operators as post-exploitation tooling in diverse intrusion campaigns.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2024-03-19 — SparkRAT observed in chains following exploitation of public-facing services (TeamCity exploitation reporting). · ref
T1105 Ingress Tool Transfer TA0011
  • 2024-03-19 — Post-exploitation deployment implies ingress tool transfer of RAT components (campaign context). · ref
T1059 Command and Scripting Interpreter TA0002
  • 2023-01-24 — Operator activity includes remote command execution capability typical of RAT usage (campaign context). · ref
T1071.001 Web Protocols TA0011
  • 2023-01-24 — INFERENCE (confidence: medium): control and interaction patterns align with web-protocol C2/control planes used by RATs; validate per incident telemetry. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-24T17:08:15+00:00

XZB-1248 - Malware Author / Tool Maintainer

TLP:WHITE | Actor Type: Malware Author / Tool Maintainer (Open Source) | Last updated: 2026-02-23

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — XZB-1248 / SparkRAT


Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — XZB-1248 / SparkRAT (Spark)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-24T17:10:45+00:00

IOC Appendix — XZB-1248 / SparkRAT (Seed Set)


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-24T17:10:56+00:00

OSINT Library — XZB-1248


2022-03-16 — GitHub — “XZB-1248 / Spark (SparkRAT) repository”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/2
Address Verification SOCMINT
[email protected] Restricted Not integrated
Address Verification SOCMINT
github.com/XZB***** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.