Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actorExploits 1 CVE

Spark RAT

Spark RAT is an open-source remote access trojan/backdoor capable of targeting Windows, Linux, and macOS systems. Reporting in the provided content describes it as providing operators with a wide range of commands to control compromised devices. It has been observed in multiple intrusion sets and campaigns, including Pakistan-aligned SideCopy/Transparent Tribe activity targeting South Asian entities, where April 2025 attacks against various sectors in India used Xeno RAT, Spark RAT, and CurlBack RAT. It was also reported in suspected Chinese espionage activity tracked as RedNovember/Storm-2077, where operators compromised vulnerable VPNs, firewalls, and other security solutions and deployed Spark RAT alongside Pantegana; a LESLIELOADER variant was used to deploy Spark RAT and Cobalt Strike Beacons, and exploited VPN services were used to facilitate communications. Additional reporting states UNK_ColtCentury, also called TAG-100 and Storm-2077, used trust-building benign emails to legal personnel at a Taiwanese semiconductor organization before delivering Spark RAT. Spark RAT is also cited as used by the Cyber Anarchy Squad (C.A.S), which employs open-source RATs including Spark RAT for remote access after exploiting public-facing applications such as Jira, Confluence, and Microsoft SQL Server. The content also notes Spark RAT being deployed alongside malware such as VShell, BlackShades, BrowserPasswordDump10, DarkComet, and Quasar RAT. High-confidence behavioral detail in the content is limited beyond its role as a multi-platform RAT/backdoor with broad remote-control functionality; no specific Spark RAT IOCs are provided in the supplied material.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2026-1731Pre-auth OS Command Injection RCE in BeyondTrust Remote Support and PRAExploited in the wild

Threat actors have been observed exploiting a recently disclosed critical security flaw impacting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products... The vulnerability, tracked as CVE-2026-1731 (CVSS score: 9.9), allows attackers to execute operating system commands in the context of the site user... Unit 42 said it detected the security flaw being actively exploited in the wild... CISA ... KEV ... confirm that the bug has been exploited in ransomware campaigns.

via the hacker newsthehackernews.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
RedNovember

...compromise of vulnerable VPNs, firewalls, and other security solutions with Pantegana and Spark RAT...

via scworldscworld.com
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence1
TacticInitial Access

"Threat actors have been observed exploiting ... CVE-2026-1731 ... allows attackers to execute operating system commands in the context of the site user... leverage the affected 'thin-scc-wrapper' script that's reachable via WebSocket interface to inject and execute arbitrary shell commands"

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence1
TacticCommand and Control

"...web shell deployment, command-and-control (C2), backdoor and remote management tool installs..."

T1219Remote Access ToolsEvidence1
TacticCommand and Control

"...backdoor and remote management tool installs... Deploying malware such as VShell ... and Spark RAT"

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
the hacker newsNews
Jun 2, 2026
Pakistan-Linked SideCopy Targets Afghanistan Finance Ministry with Xeno RAT

A remote access trojan referenced as one of multiple malware families used by the adversary in attacks targeting sectors in India.

Read more
the hacker newsNews
Feb 20, 2026
BeyondTrust Flaw Used for Web Shells, Backdoors, and Data Exfiltration

Deployed following exploitation of CVE-2026-1731 as part of an intrusion chain involving web shells, C2, lateral movement, and data theft—consistent with a remote access trojan used to maintain interactive control of compromised environments.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

RAT used in campaigns targeting Indian sectors (as described).

Read more
eclypsium blogNews
Oct 8, 2025
BTS #61 - Red November, Cisco Vulnerabilities, and Supply Chain Security

Spark RAT is an open-source remote access trojan/backdoor used by attackers for persistent access and control of compromised devices, including network edge appliances.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.