TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

F5 Labs

SparkRAT: Exploiting Architectural Weaknesses in Open-Source Offensive Tools

2025-08-06 · Read original ↗

ATT&CK techniques detected

9 predictions
T1588.002Tool
94%
“intrusion tradecraft. formal data supporting this is in short supply. however, trend data is available for 2015 through to 2020 showing a clear growth trend in the adoption of offensive tools for which the source code is widely available. 2 figure 1 : percentage of open - source …”
T1071.001Web Protocols
91%
“are relayed by the c2 server over websockets directly from the operator ui through to the client. this opens up the potential for defenders to exploit this trust relationship and potentially compromise the operator ’ s browser. - websocket traffic is still comparatively rare in m…”
T1588.001Malware
90%
“perhaps notable absence of remote desktop - like functionality. these factors have combined to make sparkrat an attractive offensive tool choice, as is evidenced by the documented instances of its use in threat campaigns. publicly available reporting begins on 2023 - 01 and has c…”
T1071.001Web Protocols
87%
“less cross - platform builds ; the flip side is that the characteristic go runtime artefacts make static detections more straightforward. config - embeds its full client configuration inside the executable, defeating simplistic hash - based detections while simultaneously handing…”
T1588.002Tool
85%
“sparkrat : exploiting architectural weaknesses in open - source offensive tools introduction sparkrat is an open - source, freely available, and widely used remote access trojan and c2 server, all of which led us to want to explore it further. in this article, we look at the glob…”
T1588.001Malware
64%
“cases practical downsides that are under - leveraged by defenders. defenders can acquire the very same source code, and blue - or purple - teams can emulate adversary behavior to benchmark and improve on detections and response procedures. 8 as with all freely available source co…”
T1219Remote Access Tools
45%
“cases practical downsides that are under - leveraged by defenders. defenders can acquire the very same source code, and blue - or purple - teams can emulate adversary behavior to benchmark and improve on detections and response procedures. 8 as with all freely available source co…”
T1071.001Web Protocols
44%
“. the c2 server used a non - standard port and required a url path prefix. there were no newer versions of the client than the binary we had access to. architecture support was for the out - of - the - box variants. no other sparkrat clients were actively connected. the c2 server…”
T1090.002External Proxy
38%
“are relayed by the c2 server over websockets directly from the operator ui through to the client. this opens up the potential for defenders to exploit this trust relationship and potentially compromise the operator ’ s browser. - websocket traffic is still comparatively rare in m…”

Summary

Persistent trend in open-source offensive tooling & implications for defenders