SparklingGoblin
SparklingGoblin is a China-aligned cyberespionage threat actor assessed by ESET as connected to the broader Winnti Group ecosystem, while exhibiting a distinct modus operandi. ESET began tracking the cluster separately after observing post-2019 activity following a Winnti-linked campaign against Hong Kong universities, and later named it SparklingGoblin. Trend Micro’s Earth Baku corresponds to SparklingGoblin, and its ScrambleCross backdoor corresponds to ESET’s SideWalk. SparklingGoblin has been active since at least mid-2020 and remained active through 2021. Reported targets include academic institutions in Macao, Hong Kong, and Taiwan; a religious organization in Taiwan; a computer and electronics manufacturer in Taiwan; government organizations in Southeast Asia; an e-commerce platform in South Korea; the education sector in Canada; media companies in India, Bahrain, and the United States; local government in Georgia; and a computer retail company in the United States. The group is associated with the undocumented modular backdoor SideWalk. SideWalk dynamically loads modules from C2, uses Google Docs as a dead-drop resolver, and uses Cloudflare Workers for command-and-control, including update.facebookint.workers[.]dev. ESET reported that the Google Docs dead-drop content decrypted to a fallback C2 IP of 80.85.155[.]80, and that the server used a self-signed certificate for facebookint[.]com. SideWalk shares significant architectural and implementation similarities with the CROSSWALK backdoor used by the same cluster, suggesting common developers. Observed SparklingGoblin tradecraft includes InstallUtil-based .NET loaders, modified ConfuserEx obfuscation, scheduled-task persistence using names such as RasTaskStart, RasTaskManager, and WebService, execution via InstallUtil.exe with the /U flag, process hollowing, encrypted-on-disk ChaCha20 shellcode stored as Microsoft.WebService.targets, string and code decryption, and an anti-tampering checksum routine. SparklingGoblin is also mentioned as a user of ShadowPad, a modular backdoor privately sold to China-aligned APT groups, and ESET noted that Motnug is a loader used by SparklingGoblin. SparklingGoblin is also cited among the more well-known groups exploiting routinely exploited vulnerabilities in CISA’s 2022 top exploited vulnerabilities reporting.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Associated malware families
6 malware families attributed to this actor across reporting.
1 additional family tracked in Mallory.
Observables
14 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
China-aligned threat actor referenced as a known user of ShadowPad.
SparklingGoblin is known for exploiting widely known vulnerabilities, including those in the 2022 Top Routinely Exploited Vulnerabilities list. They are opportunistic and target unpatched systems using public exploits.
Referenced as a separate known APT group connected via tooling overlap: a Motnug loader variant (associated with SparklingGoblin) was deployed in an incident linked to FamousSparrow, suggesting possible shared tooling, access, or operational crossover rather than confirmed identity equivalence.
Activity cluster linked to the broader Winnti ecosystem, observed since mid-2020 conducting intrusions (notably against academia in East/Southeast Asia, but also globally) using modular backdoors (SideWalk, CROSSWALK) and related tooling; uses Google Docs as a dead-drop resolver and Cloudflare Workers for C2, with proxy-aware HTTPS communications and modular plugin loading.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.