SparkRAT
SparkRAT is a cross-platform remote access trojan/backdoor written in Go and publicly available as open-source software. It supports Windows, Linux, and macOS and has been described as providing remote shell or direct command-line interaction, command execution, file upload and download/file management, system fingerprinting, and encrypted command-and-control. Reporting cited here notes Go variants compatible with Windows, Linux, and OSX, and also describes SparkRAT as an infostealer in some campaign reporting.
SparkRAT was first widely reported in 2023 during DragonSpark activity and has continued to appear in modified forms after the original project was reportedly abandoned in February 2023. Kroll documented a Golang loader dubbed LESLIELOADER used to deploy SparkRAT; that loader decodes and AES-192 decrypts an embedded secondary payload using the key string "LeslieCheungKwok," derives an IV from the tail of the payload container, and injects the final payload into a suspended notepad.exe process. In the analyzed case, the loader used files named Ntmssvc.dll and RemovableStorage.dll and attempted an initial beacon to 209.141.50.215:443.
The malware has been observed across multiple intrusion sets and campaigns. It was reported in BeyondTrust Remote Support/Privileged Remote Access exploitation tied to CVE-2026-1731, where attackers deployed SparkRAT alongside VShell, PowerShell downloaders, Linux download-and-execute cradles, web shells, and attempted Meterpreter reverse shells. Those BeyondTrust intrusions affected organizations in sectors including financial services, technology, higher education, legal services, healthcare, retail, and wholesale, across countries including the United States, France, Germany, Australia, and Canada. SparkRAT has also been listed among tools used by the cyber-espionage cluster TGR-STA-1030/UNC6619, alongside Cobalt Strike, VShell, Havoc, and Sliver, in compromises of government and critical infrastructure organizations across dozens of countries. Additional reporting links SparkRAT usage to Webworm, RedNovember, TAG-140, and attacks involving IIS web application exploitation.
Operationally, SparkRAT has been delivered through several vectors in the cited reporting: phishing campaigns, trojanized archives and loaders, exploitation of public-facing applications, and post-exploitation deployment after initial access. Hunt researchers and Talos reporting indicate actors may use per-target SparkRAT builds. One Webworm-related analysis specifically found independently submitted SparkRAT siblings with differing ldflags COMMIT values, assessed as evidence of per-victim builds.
High-confidence indicators directly mentioned in the content include the LESLIELOADER AES key string "LeslieCheungKwok," associated filenames Ntmssvc.dll and RemovableStorage.dll, and the beacon destination 209.141.50.215:443 from the analyzed loader chain.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The vulnerability, tracked as CVE-2026-1731, is an operating system command injection flaw that also impacts some older versions of BeyondTrust Privileged Remote Access. The flaw allows an attacker to execute arbitrary commands on a server without the need for credentials or any user interaction. | A critical vulnerability in BeyondTrust Remote Support is facing an increase in threat activity, with hackers deploying SparkRAT and vShell backdoors and using remote management tools to conduct reconnaissance...
ClearSky Cyber Security has uncovered a new zero-day vulnerability, CVE-2024-43451, actively exploited in the wild, targeting Windows systems primarily in Ukraine. This flaw enables attackers to exploit URL files for malicious activity by performing actions as simple as a single right-click.
Groups observed using it
8 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Sandbox family search for family:sparkrat . Returned a per-victim SparkRAT sibling submitted independently to the sandbox. Its ldflags COMMIT differs from the case sample. Confirms the operator uses per-target SparkRAT builds.
The initial analysis showed that the ZIP files downloaded were installing SparkRAT on some systems, while later variations utilized Redline Stealer.
...Leslieloader that downloads a backdoor dubbed SparkRAT. The Go variants are compliant with Windows, Linux and OSX. They support file upload and download, system fingerprinting and direct command-line interaction with infected hosts.
"...including CurlBack, SparkRAT, AresRAT, Xeno RAT, AllaKore, and ReverseRAT."
The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation.
...UNK_ColtCentury... likely an attempt to deploy the SparkRAT backdoor.
"CVE-2026-1731 (BeyondTrust) is associated with HAFNIUM and linked to Lumma Stealer, SparkRAT, and VShell malware deployments."
“The primary C2 frameworks observed were Cobalt Strike, VShell, Havoc, Sliver, and SparkRat.”
Techniques & procedures
16 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueA critical vulnerability in BeyondTrust Remote Support is facing an increase in threat activity ... Multiple BeyondTrust Remote Support users have been confirmed targets ... The flaw allows an attacker to execute arbitrary commands on a server without the need for credentials or any user interaction.
Execution
4 techniques“Command execution: including execution of arbitrary Windows system and PowerShell commands.”
“Command execution: including execution of arbitrary Windows system and PowerShell commands.”
The vulnerability, tracked as CVE-2026-1731, is an operating system command injection flaw ... The flaw allows an attacker to execute arbitrary commands on a server without the need for credentials or any user interaction.
"CVE-2026-1731 is an OS command injection vulnerability (CWE-78) in the thin-scc-wrapper component, which is exposed directly to the network via WebSocket... lets attackers run system commands with no login required."
Persistence
1 techniquePrivilege Escalation
1 techniqueDiscovery
3 techniquesLateral Movement
2 techniquesKey initial access vectors include ... Exposed Outlook Web Access (OWA) and VPN infrastructure
“By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user.”
Collection
1 techniqueCommand and Control
4 techniques"Among the tools put to use by the threat actor are command-and-control (C2) frameworks... Cobalt Strike, VShell, Havoc, Sliver, and SparkRAT"
“SparkRAT uses the WebSocket protocol to communicate with the C2 server…” | “upgrade request… an HTTP POST request, with the commit query parameter…”
This confirms the actor delivers tools through operator-controlled open directories, not mass-mail or drive-by chains.
Sandbox family search for family:sparkrat . Returned a per-victim SparkRAT sibling submitted independently to the sandbox. Its ldflags COMMIT differs from the case sample. Confirms the operator uses per-target SparkRAT builds.
IOCs tracked for this family
10 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
32 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access trojan observed in exploitation activity targeting a BeyondTrust critical vulnerability (CVE-2026-1731).
Remote access trojan observed in exploitation activity against BeyondTrust (CVE-2026-1731) per the content.
Remote access trojan used to provide interactive remote control of compromised hosts as part of post-exploitation activity.
Cross-platform Go-based remote access trojan (open source) with modular capabilities including remote shell access, file management, command execution, and encrypted command-and-control communications; observed deployed post-exploitation after BeyondTrust CVE-2026-1731 compromise.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.