3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
SparkRAT

SparkRAT

ID: ad0437fa157c5a6a576424134e671cae32408
Crimeware RAT Trojan
Threat types: Malware, Remote Access Trojan, Cross-Platform, Toolset
Unknown
Updated: 2026-02-24
Created: 2026-02-23
Progress: 72% Completeness: 73% Freshness: 70%
Operation zone:
Aliases Limited alias preview
Spark Spark RAT
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

SparkRAT is an open-source, cross-platform Go-based RAT and server/panel used as a post-compromise remote administration capability across multiple threat clusters and campaigns.


Technique Technique name Tactics Evidence
T1059 Command and Scripting Interpreter TA0002
  • 2025-07-01 — SparkRAT is described as enabling command execution/terminal access as part of remote administration capabilities. · ref
T1071.001 Web Protocols TA0011
  • 2025-01-28 — Public reporting discusses malicious connections and server detection consistent with web-protocol C2 operation for SparkRAT deployments. · ref
T1105 Ingress Tool Transfer TA0011
  • 2025-09-24 — Campaign reporting describes loader-to-payload delivery where SparkRAT is staged/loaded after initial delivery, consistent with tool transfer/staging workflows. · ref
T1082 System Information Discovery TA0007
  • 2025-07-01 — SparkRAT is described as collecting system information as part of its remote administration feature set. · ref
T1083 File and Directory Discovery TA0007
  • 2025-07-01 — SparkRAT is described as providing file management and file transfer capabilities, implying file/directory interaction and discovery. · ref
T1571 Non-Standard Port TA0011
  • 2025-09-24 — Campaign reporting includes non-standard ports for command-and-control and associated infrastructure; SparkRAT used as part of the toolset in the intrusion chain. · ref
T1190 Exploit Public-Facing Application TA0001
  • 2026-02-20 — SparkRAT reported as post-exploitation tooling in an exploitation context of a public-facing vulnerability (BeyondTrust). The exploit vector is campaign-dependent but highlights exploit-driven initial access leading to tool deployment. · ref
T1547 Boot or Logon Autostart Execution TA0003 TA0004
  • 2025-01-31 — INFERENCE (confidence: low): Vendor bulletins describe SparkRAT as modular and used for persistent remote control; persistence is commonly achieved via OS-native autostart mechanisms, but implementation varies by campaign. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-23T20:31:50+00:00

SparkRAT (Open-source, cross-platform RAT)

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Category: Malware / Remote Access Trojan (RAT) — Origin: Unknown (tool used by multiple threat clusters)

Author: iQBlack CTI Team



Executive Summary

SparkRAT is a cross-platform Remote Access Trojan (RAT) written in Go and distributed as an open-source toolset (agent + C2/server). Public reporting consistently frames it as a commodity post-compromise capability rather than a single-actor-exclusive implant, which complicates attribution at the ‘actor’ level and shifts analysis toward campaigns and clusters that deploy it.

Operationally, SparkRAT functions as an interactive remote administration capability (command execution, file operations, system profiling and other operator-driven actions). As an open-source RAT, its code can be modified, recompiled, and refactored, meaning static indicators (strings, file hashes) are brittle and must be paired with behavior-based hunting.

Public reporting links SparkRAT use to multiple intrusion contexts, including espionage-oriented activity where SparkRAT was loaded by an intermediate Go-based loader (LESLIELOADER) and operated via infrastructure documented in open reporting. Separately, early distribution has been observed via trojanized installers, illustrating that SparkRAT may appear both as a primary payload and as a secondary tool delivered post-access.

Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — SparkRAT

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — SparkRAT (Spark / SparkRAT)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-23T20:06:50+00:00

IOC Appendix (Seed Set) — SparkRAT

Classification: Unclassified / Open Source Intelligence (OSINT) — TLP:WHITE

More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-23T20:07:09+00:00

OSINT Library — SparkRAT


2026-02-20 — Unit 42 (Palo Alto Networks) — “VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/2
Address Verification SOCMINT
github.com/XZB*********** Restricted Not integrated
github.com/XZB******************** Restricted Not integrated
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
Showing 1–7 of 7 images
procmgr Free Preview
procmgr
Explorer Free Preview
Explorer
Terminal Free Preview
Terminal
Overview CPU Free Preview
Overview CPU
Desktop Free Preview
Desktop
Overview Free Preview
Overview
Explorer Editor Free Preview
Explorer Editor
Showing 4 of 7 images in preview mode. Additional evidence is restricted for Analyst and Premium plans.