DragonSpark

DragonSpark is a cluster of opportunistic intrusion activity targeting organizations in East Asia. SentinelLABS assessed it is highly likely conducted by a Chinese-speaking actor, but stated it could not reliably link the activity to a specific known threat actor. The campaign is notable for consistent use of the open-source, Golang-based SparkRAT, and Kroll reported that the DRAGONSPARK campaign frequently uses SPARKRAT in attacks against organizations in East Asia. Observed initial access included compromised internet-exposed web servers and MySQL servers. On compromised web servers, the actor used the China Chopper webshell. Post-compromise activity included lateral movement, privilege escalation, and staging of additional tools and malware from attacker-controlled infrastructure. Tooling and malware associated with DragonSpark include SparkRAT, SharpToken, BadPotato, GotoHTTP, a custom Python/PyInstaller malware called ShellCode_Loader, a custom Golang malware called m6699.exe, and a Golang loader dubbed LESLIELOADER. SparkRAT is a multi-platform Golang RAT supporting Windows, Linux, and macOS, communicating over WebSocket and supporting HTTP POST-based auto-upgrade. The observed SparkRAT build supported 26 commands including command execution, system manipulation, file and process manipulation, screenshots, and host profiling. DragonSpark activity also used an uncommon evasion method in m6699.exe: interpreting embedded Golang source code at runtime via Yaegi to hinder static analysis. ShellCode_Loader Base64-decodes and AES-CBC decrypts shellcode and executes it via Windows APIs. m6699.exe decodes embedded Golang source, evaluates it with Yaegi, and executes shellcode, enabling Meterpreter sessions. Kroll documented LESLIELOADER as a previously undocumented Golang loader used in ongoing campaigns with SPARKRAT. LESLIELOADER decodes and decrypts an embedded secondary payload using Base64 and AES-192 with the key string "LeslieCheungKwok," derives the IV from data at the end of the payload file, and injects the final payload into a suspended notepad.exe process. Kroll also identified additional LESLIELOADER samples containing Cobalt Strike configurations and other payloads, indicating the loader is not exclusive to SPARKRAT. Infrastructure used for staging was observed in China, Taiwan, Hong Kong, and Singapore, including compromised Taiwanese business sites and an AWS EC2 instance, while C2 servers were observed in Hong Kong and the United States. SentinelLABS cited the use of China Chopper, Chinese-developed open-source tooling, and other overlaps as supporting evidence of a Chinese-speaking origin, but no specific named group attribution was established. Known alias from the provided content: dragonspark.