Sarina

About Sarina Gandy

This author has not yet filled in any details.
So far Sarina Gandy has created 110 blog entries.

USF Muma College of Business Offering In-Person Cybersecurity Training

Now Available In-Person: Cybersecurity Awareness Certificate Training for Florida State and Local Government Employees

This in-person option offered by the USF Muma College of Business meets the Cybersecurity Awareness Training requirement outlined in the Florida Digital Service’s Local Government Cybersecurity Resource Packet, and it brings the learning experience directly to your team.

Rather than completing the training online at your own pace, your organization can now engage USF instructors for on-site, instructor-led sessions. This format allows your entire workforce to receive the same curriculum at once, fostering a shared understanding of cybersecurity best practices and creating space for real-time questions and discussion.

Topics covered in the course include:

  • Phishing and common email scams
  • Password security and safe online behavior
  • Ransomware, scareware, viruses, and malware
  • Social engineering tactics
  • Best practices to protect sensitive information

This course empowers state and local government employees to recognize and respond to cyber threats—helping them serve as the first line of defense against cyberattacks.

In-person training is available to eligible Florida state and local government organizations.

Register

USF Muma College of Business Offering In-Person Cybersecurity Training2025-05-05T12:50:52-04:00

North Korea Responsible for $1.5 Billion Bybit Hack

I. Targeted Entities

Financial Sector, Crypto Space, ByBit, Bybit affiliates, and Bybit customers.

II. Introduction

On February 21, 2025, Bybit, a major cryptocurrency exchange, experienced a security breach that resulted in the loss of $1.5 billion worth of Ethereum. This incident is the largest digital heist in the history of cryptocurrency. Bybit is currently collaborating with experts to trace the stolen assets. They have launched a recovery bounty program, offering up to 10% of the recovered amount to individuals who can assist in retrieving the stolen crypto.

The Lazarus Group, a well-known hacking collective believed to be based in North Korea, has claimed responsibility for the attack. This group is notorious for orchestrating high-profile cyberattacks, particularly targeting financial institutions. In this instance, the attackers infiltrated a developer’s computer associated with the Gnosis Safe wallet, a widely used multi-signature wallet designed for secure management of cryptocurrency assets. Gnosis Safe operates by requiring multiple private key approvals to authorize transactions, providing an added layer of security to prevent unauthorized transfers.

However, the Lazarus Group managed to manipulate the Safe user interface (UI) that was specifically employed for Bybit transactions. By injecting malicious JavaScript into the UI, they were able to create the illusion that Bybit was authorizing a legitimate transaction. This allowed the attackers to bypass security protocols and facilitate the unauthorized transfer of funds, effectively masking their illicit actions as legitimate business operations. This attack highlights the vulnerabilities associated with software development environments and the potential for targeted manipulation of trusted tools like the Gnosis Safe.

III. Additional Background Information

The Lazarus group also known as APT38, has been active since at least 2009. Lazarus group was reportedly responsible for the November 2014 attack against Sony Pictures Entertainment as a part of a campaign named Operation blockbuster by Novetta. The group has been correlated to other campaigns including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.

In 2017, Lazarus group was reportedly responsible for the creation of the malware used in the 2017 WannaCry 2.0 global ransomware attack; the 2016 theft of $81 million from Bangladesh bank; and numerous other attacks or intrusions on the entertainment, financial services, defense, technology, and virtual currency industries, academia, and electric utilities.

The largest cryptocurrency heist attributed to Lazarus prior was in 2024 with the $308 million attack on Japan-based exchange DMM Bitcoin, the compromise of the Japanese cryptocurrency wallet software firm swiftly led to the company’s collapse and was largely known as the single largest crypto theft until now.

IV. MITRE ATT&CK

Initial Access via Supply Chain Compromise (T1071.001): Attackers gained access by compromising a developer’s machine associated with Safe {Wallet}, the platform used by Bybit for managing multi-signature wallets.

User Interface Manipulation (T1071.001): They injected malicious JavaScript into the Safe {Wallet} interface, altering transaction details to mislead wallet signers into approving unauthorized transactions.

Transaction Manipulation (T1071.001): By modifying the appearance and details of transactions, the attackers ensured that the signers unknowingly authorized the transfer of funds to addresses under their control.

Command and Control (T1071.001): The use of malicious JavaScript indicates a command-and-control mechanism to deliver and execute payloads on compromised systems.

V. Recommendations

Some recommendations we can offer to ensure your cryptocurrency is secure and mitigate risks of this hack occurring:

  • Enhance security around multi-signature wallets
    • Improving key management ensures they are used correctly with separate keys stored in different secure locations.
    • With regular key rotation, rotating keys are used for signing and it ensures they are in the hands of trusted individuals.
  • Harden social engineering defenses
    • Having users trained and aware of such attacks significantly reduces the chances of these attacks happening.
    • Training around phishing and data handling practices strengthens awareness as a whole.
  • Use hardware wallets (cold storage)
    • Hardware wallets allow users to store their private keys offline, making them immune to online attacks.
    • A way to avoid keeping larger amounts on exchanges.
  • Use a trustworthy cryptocurrency exchange – backed by MFA
    • A trustworthy exchange can mitigate risks to wallets on the platform if they are backed by multi-factor authentication and require verification for each transaction.
    • NEVER sharing your backup codes with anyone.

VI. IOCs (Indicators of Compromise)

The following is a screenshot showing that at the time of transaction signing, cache files containing Javascript resources were created on the Chrome browser of all three signers’ hosts. (From Sygnia’s Investigation Report)

The following shows screenshots of the injected code which activates under the condition that the transaction source matches one of two contract addresses, believed to be the associated threat actor. (From Sygnia’s Investigation Report) 

The following shows screenshots of comparisons between the original legitimate JavaScript resources within Safe {Wallet}’s code and the one with the modified malicious resource. (From Sygnia’s Investigation Report)

VII. Additional OSINT Information

The following Ethereum addresses are holding or have held assets from the theft, and are operated by or closely connected to North Korean TraderTraitor actors:

  • 0x51E9d833Ecae4E8D9D8Be17300AEE6D3398C135D
  • 0x96244D83DC15d36847C35209bBDc5bdDE9bEc3D8
  • 0x83c7678492D623fb98834F0fbcb2E7b7f5Af8950
  • 0x83Ef5E80faD88288F770152875Ab0bb16641a09E
  • 0xAF620E6d32B1c67f3396EF5d2F7d7642Dc2e6CE9
  • 0x3A21F4E6Bbe527D347ca7c157F4233c935779847
  • 0xfa3FcCCB897079fD83bfBA690E7D47Eb402d6c49
  • 0xFc926659Dd8808f6e3e0a8d61B20B871F3Fa6465
  • 0xb172F7e99452446f18FF49A71bfEeCf0873003b4
  • 0x6d46bd3AfF100f23C194e5312f93507978a6DC91
  • 0xf0a16603289eAF35F64077Ba3681af41194a1c09
  • 0x23Db729908137cb60852f2936D2b5c6De0e1c887
  • 0x40e98FeEEbaD7Ddb0F0534Ccaa617427eA10187e
  • 0x140c9Ab92347734641b1A7c124ffDeE58c20C3E3
  • 0x684d4b58Dc32af786BF6D572A792fF7A883428B9
  • 0xBC3e5e8C10897a81b63933348f53f2e052F89a7E
  • 0x5Af75eAB6BEC227657fA3E749a8BFd55f02e4b1D
  • 0xBCA02B395747D62626a65016F2e64A20bd254A39
  • 0x4C198B3B5F3a4b1Aa706daC73D826c2B795ccd67
  • 0xCd7eC020121Ead6f99855cbB972dF502dB5bC63a
  • 0xbdE2Cc5375fa9E0383309A2cA31213f2D6cabcbd
  • 0xD3C611AeD139107DEC2294032da3913BC26507fb
  • 0xB72334cB9D0b614D30C4c60e2bd12fF5Ed03c305
  • 0x8c7235e1A6EeF91b980D0FcA083347FBb7EE1806
  • 0x1bb0970508316DC735329752a4581E0a4bAbc6B4
  • 0x1eB27f136BFe7947f80d6ceE3Cf0bfDf92b45e57
  • 0xCd1a4A457cA8b0931c3BF81Df3CFa227ADBdb6E9
  • 0x09278b36863bE4cCd3d0c22d643E8062D7a11377
  • 0x660BfcEa3A5FAF823e8f8bF57dd558db034dea1d
  • 0xE9bc552fdFa54b30296d95F147e3e0280FF7f7e6
  • 0x30a822CDD2782D2B2A12a08526452e885978FA1D
  • 0xB4a862A81aBB2f952FcA4C6f5510962e18c7f1A2
  • 0x0e8C1E2881F35Ef20343264862A242FB749d6b35
  • 0x9271EDdda0F0f2bB7b1A0c712bdF8dbD0A38d1Ab
  • 0xe69753Ddfbedbd249E703EB374452E78dae1ae49
  • 0x2290937A4498C96eFfb87b8371a33D108F8D433f
  • 0x959c4CA19c4532C97A657D82d97acCBAb70e6fb4
  • 0x52207Ec7B1b43AA5DB116931a904371ae2C1619e
  • 0x9eF42873Ae015AA3da0c4354AeF94a18D2B3407b
  • 0x1542368a03ad1f03d96D51B414f4738961Cf4443
  • 0x21032176B43d9f7E9410fB37290a78f4fEd6044C
  • 0xA4B2Fd68593B6F34E51cB9eDB66E71c1B4Ab449e
  • 0x55CCa2f5eB07907696afe4b9Db5102bcE5feB734
  • 0xA5A023E052243b7cce34Cbd4ba20180e8Dea6Ad6
  • 0xdD90071D52F20e85c89802e5Dc1eC0A7B6475f92
  • 0x1512fcb09463A61862B73ec09B9b354aF1790268
  • 0xF302572594a68aA8F951faE64ED3aE7DA41c72Be
  • 0x723a7084028421994d4a7829108D63aB44658315
  • 0xf03AfB1c6A11A7E370920ad42e6eE735dBedF0b1
  • 0xEB0bAA3A556586192590CAD296b1e48dF62a8549
  • 0xD5b58Cf7813c1eDC412367b97876bD400ea5c489

The list of addresses associated with the Bybit hack are still continuously being updated and the blocklist can be found here.

The following shows how the attackers moved funds off Bybit after the initial hack as shown by TRM Labs. (The following is derived from TRM Labs) 

The following shows the rapid laundering process as of March 2, 2025, this includes transfers through multiple wallets and conversions into different cryptocurrencies. (The following is derived from TRM Labs)

The following shows the rapid laundering process as of March 2, 2025, this includes transfers through multiple wallets and conversions into different cryptocurrencies. (The following is derived from TRM Labs)

VIII. References

Bybit Confirms Security Integrity Amid Safe{Wallet} Incident – No Compromise in Infrastructure. Bybit Press. (2025, February 26). https://www.bybit.com/en/press/post/bybit-confirms-security-integrity-amid-safe-wallet-incident-no-compromise-in-infrastructure-blt9986889e919da8d2

Greig, J. (2024, December 25). FBI attributes largest crypto hack of 2024 to North Korea’s TraderTraitor. Cyber Security News | The Record. https://therecord.media/fbi-largest-crypto-hack-2024-tradertraitor

Internet Crime Complaint Center (IC3) | North Korea responsible for $1.5 billion bybit hack. (2025, February 26). https://www.ic3.gov/PSA/2025/PSA250226

North Korean Regime-Backed Programmer Charged With Conspiracy to. (2025, February 6). https://www.justice.gov/archives/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and

Team, C. (2025, February 27). Leveraging transparency for collaboration in the wake of Record-Breaking Bybit theft [UPDATED 2/27/25]. Chainalysis. https://www.chainalysis.com/blog/bybit-exchange-hack-february-2025-crypto-security-dprk/

The Bybit hack: following North Korea’s largest exploit | TRM Insights. (n.d.). https://www.trmlabs.com/post/the-bybit-hack-following-north-koreas-largest-exploit

Threat Advisory created by the Cyber Florida Security Operations Center.

Contributing Security Analysts: Nahyan Jamil and Jason Doan

North Korea Responsible for $1.5 Billion Bybit Hack2025-04-09T14:31:32-04:00

DieNet: A Rising Hacktivist Group Targeting Critical Infrastructure

I. Targeted Entities

  • Energy Sector
  • Healthcare Sector
  • Transportation Sector
  • Financial Services
  • Critical Infrastructure
  • Telecommunications
  • Higher Education

II. Introduction

DieNet first emerged on March 7th, 2025. According to Radware, a global cybersecurity and application provider, they have claimed 61 attacks against 19 United States organizations. DieNet has also claimed 17 attacks against many organizations in countries such as Iraq, Netherlands, Egypt, and Israel. DieNet is known to target critical infrastructure particularly in the sectors of transportation, energy, finance, telecommunications, and healthcare. DieNet has been seen carrying out Distributed Denial of Service (DDoS) attacks against organizations to gain headline attention as a form of protest. They have targeted military and government entities around the time of political decisions.

  • This hacktivist group has many political and social motives. They have stated to be anti-Trump and anti-Zionist. Some pro-Palestinian hacktivist groups have endorsed DieNet, sharing the same ideologies and frameworks. It appears any organizations or groups in support of the United States President Donald Trump or receiving federal funding are targets. These cyber criminals often frame their attacks around retaliation for military actions or political decisions.
  • This group includes bold and aggressive messages, threats, and taunts within their attacks. These bold and aggressive messages include statements such as “We are watching you”. These attacks are strategically carried out to maximize visibility. It has been noted that the persistence seen within these DDoS attacks would be near impossible for most botnets. These attacks are short but fierce, taking down and defacing websites and services.

III. Additional Background Information

  • Hacktivists are individuals or groups that conduct cyber-attacks to bring awareness to specific political, social, religious, or global causes. These actions are carried out to gain visibility or make a statement, supporting a cause they are promoting. Hacktivism is carried out in many forms such as Distributed Denial of Service (DDOS) attacks, doxing, or defacement of websites. DDoS attacks work by using multiple botnets which can be scattered across various geographic locations and flood an organizations server infrastructure with traffic making the resources unavailable. This can cause large disruptions in service. Botnets are networks of computers that have been infected with malware, hijacked, and now carry out various cyberattacks. These are specifically important when it comes to large Distributed Denial of Service (DDoS) attacks as they require heavy computing power.
  • DieNet stated on Telegram, a messaging service commonly used by this group’s members, that DieNet v2 has begun service, which includes larger botnets and increased membership. Currently, a report from the Center for Internet Security stated another Telegram message from DieNet was released on March 21st that told the public they had breached a United States Federal Government agency and acquired government employees Personally Identifiable Information (PII). If this claim becomes verified, it could result in a large escalation of DieNet’s Tactics, Techniques, and Procedures (TTPs).
  • At the time of this being written, Recorded Future, a leading cyber threat intelligence platform, has seen DieNet carry out suspected attacks in the United States against the Port of Los Angeles, Chicago Transit, Lumen Technologies, the North American Electric Reliability Corporation, U.S. Department of Commerce, International Trade Administration, Nasdaq, Inc., Northeastern University, Meditech, Pacific Gas and Electric Company, WaterOne, CoinBase, the National Emergency Medical Services Information System, U.S. Postal Service, Epic Systems, NASA, Veterans of Foreign Wars, FBI Crime Data Explorer, X, Axos Bank, Lyft, ProductionHUB, and Azure.
  • Although there is currently limited information, as this group was established less than 3 weeks ago at the time this advisory was written, the exploit seems to use exploit tactics that are defined in the MITRE ATT&CK framework, such as T1498, Network Denial of Service, and T1491.002, Defacement: External Defacement.
  • Previous DDoS attacks that involve hacktivists bring major concern to the target industries as these attacks can cause service interruptions, societal concern, and financial losses.
  • Organizations are strongly urged to maintain proper security practices. These practices should include security awareness training, applying the latest patches and monitoring for indicators of compromise (IoC). Failure to follow these procedures could result in severe disruptions and possible data breaches.

IV. MITRE ATT&CK

  • T1498-Network Denial of Service
    This type of attack involves the adversary blocking the availability of targeted resources to users of a system. In this case, the adversary exhausts the network bandwidth, rendering websites and services unavailable.
  • T1491.002-Defacement: External Defacement
    This type of sub attack is used to deface external systems of a group or organization in an attempt to display a message. In this case, DieNet is using this as a way to intimidate the organizations and gain visibility.

V. Recommendations

  • Implement a Defense-In-Depth Strategy
    • Implement many different layers of security. This can include reducing your organization’s DDoS attack surface by restricting access to areas and blocking communication on unused or unsecure ports, protocols, and services. Other layers include configuring Endpoint Detection and Response (EDR) software, firewalls, and robust Anti-Virus (AV) to all devices and systems. Always perform both online and offline backups. Preforming both will ensure that copies of data are in various locations, one of which being inaccessible to the attacker.
  • Apply Rate Limiting and Load Balancers
    • Rate limiting puts a threshold on how often an action can be repeated in a certain timeframe. Implementation of rate limiting through network configuration settings can help prevent botnet activity. Load Balancers are the first line of defense against DDoS attacks. Having proper load balancers in place will also make sure your websites and services stay available during a DDoS attack. In the event of a DDoS attack, load balancers can distribute traffic across multiple servers, allowing the ability for services to remain available in some cases.
  • Implement a Web Application Firewall (WAF)
    • A WAF works dynamically using custom policies based on your organizations environment to filter and analyze network traffic. The WAF can change and add new policies to combat any emerging attacks by continuously monitoring network traffic for changes.
  • Establish an Incident Response Plan
    • Create or revise an incident response plan that includes steps for handling a Denial of Service or Distributed Denial of Service attack. The reaction team should be equipped and trained to deal with any possible breaches as well.

VI. Indicators of Compromise (IOCs)

The attacks being carried out by DieNet are constantly evolving, have botnets that span across the globe, use encrypted traffic, and employ the use of legitimate IP addresses making it incredibly difficult to find reliable IoCs.

 

Type Indicator
Telegram Forum hxxps://t[.]me/D1eNet
Telegram Forum hxxps://t[.]me/DIeNlt
Ally Telegram User hxxps://t[.]me/blackopmrhamza2
Ally Telegram User hxxps://t[.]me/LazaGrad
Ally Telegram User hxxps://t[.]me/sylhetgangsgofficial01
Hacker Forum hxxps://t[.]me/ghostsforum/28129

 

VII. Additional OSINT Information

Image 1 of DDoS Attack on the Nasdaq Stock Exchange

Image 2 of Anti-Trump Verbage

Recorded Future Threat Intelligence Platform

Image 3 of DieNet v2 DDos Attack on Azure

Recorded Future Threat Intelligence Platform

Image 4 of DieNet Website Defacement

Recorded Future Threat Intelligence Platform

Image 5 of DieNet DDoS Affecting Login Pages

Recorded Future Threat Intelligence Platform

Associated Hacktivist Groups:

-Mr Hamza: Pro-Palestinian, pro-Russian, pro-Iranian hacktivist group promoting DieNet.

-LazaGrad Hack: Pro-Palestinian, pro-Russian hacktivist group promoting DieNet.

-Sylhet Gang-SG: Hacktivist group targeting allies of Zionist entities.

VIII. References

Baker, K. (2025). Indicators of compromise (IOC) security. CrowdStrike. https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/indicators-of-compromise-ioc/#:~:text=As%20cyber%20criminals%20become%20more,which%20makes%20detection%20more%20difficult.

Center for Internet Security (CIS). (2025, March 26). Threat Actor Profile – Emerging Hacktivist Group DieNet Claims Distributed Denial-of-Service Attacks against U.S. Critical Infrastructure.

CyberKnow (@cyberknow20). X. (2025). https://twitter.com/Cyberknow20

Defacement: External defacement. Defacement: External Defacement, Sub-technique T1491.002 – Enterprise | MITRE ATT&CK®. (n.d.). https://attack.mitre.org/techniques/T1491/002/

DieNet Activity Escalates Against US Organizations. Radware. (2025, March 18). https://www.radware.com/security/threat-advisories-and-attack-reports/dienet-activity-escalates-against-us-organizations/

DieNet Organization. Recorded Future. (2025). https://app.recordedfuture.com/portal/intelligence-card/sMCKdQ/overview

Dos attack vs ddos attack: Key differences? Fortinet. (n.d.-a). https://www.fortinet.com/resources/cyberglossary/dos-vs-ddos#:~:text=What%20Is%20The%20Difference%20Between,to%20flood%20a%20targeted%20resource.

Goldman, L. (2023, March 17). Why load balancers should be part of your security architecture. Spiceworks Inc. https://www.spiceworks.com/it-security/network-security/guest-article/load-balancers-security-architecture/#:~:text=Load%20balancers%20offer%20an%20extra,the%20importance%20of%20load%20balancers.

How to prevent ddos attacks | methods and tools. Cloudflare. (n.d.-a). https://www.cloudflare.com/learning/ddos/how-to-prevent-ddos-attacks/

Network denial of service. Network Denial of Service, Technique T1498 – Enterprise | MITRE ATT&CK®. (n.d.). https://attack.mitre.org/techniques/T1498/

What is API rate limiting and how to implement it on your website. DataDome. (2020). https://datadome.co/bot-management-protection/what-is-api-rate-limiting/

What is hacktivism? meaning, types, and more. Fortinet. (n.d.-b). https://www.fortinet.com/resources/cyberglossary/what-is-hacktivism

What is load balancing? | how load balancers work. Cloudflare. (n.d.-b). https://www.cloudflare.com/learning/performance/what-is-load-balancing/

What is rate limiting? | rate limiting and bots . Cloudflare. (n.d.-c). https://www.cloudflare.com/learning/bots/what-is-rate-limiting/

Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analyst(s): Tim Kircher

DieNet: A Rising Hacktivist Group Targeting Critical Infrastructure2025-04-08T14:09:02-04:00

Malware Campaign Exploits Microsoft Dev Tunnels

I. Targeted Entities

This campaign does not target any specific industry and has been observed attacking a wide variety of individuals and organizations. However, the malware utilized by this campaign (njRAT) was found to have originated in the Middle East and is primarily used to target Arabic-speaking countries [1][7].

II. Introduction

Part of the Microsoft Azure official toolkit and used by developers to test apps and sync local testing environments securely over the internet, the ‘dev tunnels’ service has made a surprising appearance in a recent threat campaign leveraging a new variant of the popular njRAT Remote Access Trojan [9]. A blog post published on the SANS Internet Storm Center by security researcher Xavier Mertens (@xme) announced the discovery of the malware, highlighting its creative use of Microsoft’s dev tunnels for communication between infected devices and identified command-and-control (C2) servers [8].

Mertens says he spotted this strain of njRAT sending continuous status updates to C2 servers via dev tunnel URLs. A deeper analysis of captured samples revealed hardcoded server listening ports, the suspected botnet name, client version and capabilities of the malware [8].

JSON extraction of recent njRAT sample (Source: SANS Internet Storm Center)

Reconstructed code showing USB propagation ability (Source: SANS Internet Storm Center)

In his findings, he also discusses the ability of this malware to detect and propagate to external hard drives via USB. Shown in the code snippet below, if the ‘OK.usb’ variable is set to True, the malware will attempt to copy itself to any mounted USB devices [8].

Reconstructed code showing USB propagation ability (Source: SANS Internet Storm Center)

III. Background

First observed in 2012, njRAT has become one of the most widely accessible Remote Access Trojan (RATs) on the market. It features an abundance of educational information with many tutorials available online [1]. This, combined with its open-source nature, has ranked it among the most popular RATs in the world. According to ANY.RUN, a prominent online malware analysis service, the njRAT malware family currently holds the #2 spot for all time total submission count [3]. Though historically used for browser cookie and credential theft, njRAT boasts a wide range of capabilities including keylogging, webcam/screen recording, cryptocurrency theft and wallet enumeration, registry modifications, file uploads, and USB drive propagation [7].

The use of legitimate services to mask command and control communication and data exfiltration, often called ‘C2 tunneling’, is hardly a novel concept. Cloudflare Tunnel (cloudflared), ngrok, and the DNS protocol, have and continue to be exploited by bad actors to conceal this malicious network activity [6]. Interestingly, previous njRAT campaigns have also abused services like Pastebin for C2 tunneling, only this time, there is the added certificate authority trust inherited by routing traffic through Microsoft’s Azure infrastructure [5]. However, the use of dev tunnels for stealth data exfiltration has existed as a proof of concept as early as 2023, when the tool was first released alongside Visual Studio 2022 v17.6 [4][10].

The setup of dev tunnels for C2 redirection is a relatively straightforward process. The threat actor needs only a valid GitHub or Microsoft account and the free executable available on Windows, MacOS, and Linux [11]. With that, they would need to authenticate via the tool with one of the following commands:

After verification, a secure, persistent channel can be deployed by issuing the following:

With the dev tunnel active, all the attacker has to do is bind the channel to their C2 listener port on the same host machine [4]. Now, the control server and infected devices will direct all C2 traffic through a trusted proxy hosted within Microsoft’s Azure cloud infrastructure.

It is worth noting that regardless of the actual traffic direction or protocol being used, the tunnel always presents itself to the victim’s network as outbound TLS traffic. This means that even when an adversary is actively connecting inbound to a victim’s system, the connection appears in network logs and monitoring tools as a standard outbound HTTPS connection originating from the victim’s network [11].

V. MITRE ATT&CK

  • S0385 – njRAT
    This campaign utilizes a variant of the njRAT Remote Access Trojan.
  • TA0011 – Command and Control (C2)
    Following system infection, njRAT will contact a control server awaiting instructions from an attacker. It can be configured to choose from a list of attacker-owned servers.
  • T1572 – Protocol Tunneling
    Using the Microsoft dev tunnel service, infected system outreach, data exfiltration, and malicious commands from the control server occur over disposable, encrypted channels, making it harder for traditional security systems to spot and implement effective preventions.
  • T1547.001 – Registry Run Keys / Startup Folder
    On infected Windows systems, this variation of njRAT creates a registry value entry under the ‘Software\Microsoft\Windows\CurrentVersion\Run\’ key path. To achieve persistence across reboots, the malicious program references itself using this “run key”, executing each time a user logs in.
  • T1082 – System Information Discovery
    The malware performs enumeration of the infected host. It checks the OS version, supported languages, hostname, registry GUID, and other information that is then sent to the control server [2].
  • T1091 – Replication Through Removable Media
    njRAT will attempt to detect any removable drives connected to the system. If found, the malware will create a standalone copy of itself to that drive.

V. Indicators of Compromise (IOCs)

Type Indicator
SHA-256 Hashes 0b0c8fb59db1c32ed9d435abb0f7e2e8c3365325d59b1f3feeba62b7dc0143ee

9ea760274186449a60f2b663f535c4fbbefa74bc050df07614150e8321eccdb7

cb2d8470a77930221f23415a57bc5d6901b89de6c091a3cfbc563e4bf0e7b4eb

c0513783d569051bdc230587729b1da881f7032c2ad6e8fedbbdcc61d813da25
Associated Filenames dsadasfjamsdf.exe

c3df7e844033ec8845b244241c198fcc.exe
Registry Key Software\Microsoft\Windows\CurrentVersion\Run\af63c521a8fa69a8f1d113eb79855a75
IPs 20.103.221[.]187
C2 URLs hxxps://nbw49tk2-27602.euw.devtunnels[.]ms/

hxxps://nbw49tk2-25505.euw.devtunnels[.]ms/
Dev Tunnel Domain Formats global.rel.tunnels.api.visualstudio.com

[clusterId].rel.tunnels.api.visualstudio.com

[clusterId]-data.rel.tunnels.api.visualstudio.com

*.[clusterId].devtunnels.ms

*.devtunnels.ms

VII. Recommendations

Monitor DNS Traffic for Dev Tunnel URLs – Organizations not using dev tunnels should keep an eye on DNS logs for any unexpected dev tunnel URLs (typically ending in “.devtunnels.ms”) that may indicate potential C2 communication [5]. IDS/IPS rules should be applied to automatically alert or block this traffic.

Beware of USB Devices – This variant, as well as previous versions of njRAT, has the ability to detect and spread to external hard drives connected via USB. Users should exercise caution when interacting with unknown USB devices. For critical systems, it may also be advised to locally disable the use of external storage hardware.

Use EDR/Host-Based IDS – The malware’s use of dev tunnels can blend its traffic with normal activity, rendering network intrusion detection efforts less effective. Configuring endpoint protection solutions to detect and flag the use of Microsoft-signed binaries (e.g., devtunnel.exe) by anomalous parent processes or modifications to the auto-run registry can offer another layer of defense to address this gap [5].

Network Segmentation – Botnet malware like njRAT spreads primarily via ‘spray and pray’ orchestration, typically infecting internet-facing devices that lack proper security controls. IoT devices, poorly configured web servers, and routers with deprecated firmware make up a sizable portion of modern botnet infrastructure. If security patches or hardening cannot be applied to such systems, isolating them from the main home or enterprise network is imperative to prevent lateral movement to critical systems.

Stay Informed on the Latest TTPs – As threat actors become more innovative in their detection evasion and exfiltration techniques, security analysts must remain up to speed with the ongoing changes of an evolving threat landscape.

VIII. References

[1] ANY.RUN. (March 9, 2025). NJRAT. https://any.run/malware-trends/njrat

[2] ANY.RUN. (February 27, 2025). dsadasfjamsdf.exe Sandbox Analysis. https://app.any.run/tasks/c01ea110-ecbf-483a-8b0f-d777e255ad9c

[3] ANY.RUN. (March 9, 2025). Malware Trends Tracker. https://any.run/malware-trends/

[4] Au, C. (August 9, 2023). Microsoft Dev Tunnels as C2 Channel. https://www.netero1010-securitylab.com/red-team/microsoft-dev-tunnels-as-c2-channel

[5] Baran, G. (February 28, 2025). Njrat Attacking Users Abusing Microsoft Dev Tunnels for C2 Communications. https://cybersecuritynews.com/njrat-attacking-abusing-microsoft-dev/

[6] BlueteamOps. (Oct 23, 2023). Detecting ‘Dev Tunnels.’ https://detect.fyi/detecting-dev-tunnels-16f0994dc3e2

[7] Check Point. (August 15, 2023). What is NJRat Malware? https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-njrat-malware/

[8] Mertens, X. (February 27, 2025). Njrat Campaign Using Microsoft Dev Tunnels. https://isc.sans.edu/diary/Njrat%20Campaign%20Using%20Microsoft%20Dev%20Tunnels/31724

[9] Microsoft. (November 17, 2023). What are dev tunnels? https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview

[10] Montemagno, J. (February 5, 2024) Dev Tunnels: A Game Changer for Mobile Developers. https://devblogs.microsoft.com/dotnet/dev-tunnels-a-game-changer-for-mobile-developers/

[11] Rossouw, F. (December 5, 2024). Malware of the Day – Tunneling Havoc C2 with Microsoft Dev Tunnels. https://www.activecountermeasures.com/malware-of-the-day-tunneling-havoc-c2-with-microsoft-dev-tunnels/

Threat Advisory created by The Cyber Florida Security Operations Center.

Contributing Security Analyst(s): Isaac Ward

Malware Campaign Exploits Microsoft Dev Tunnels2025-03-31T12:44:43-04:00

FirstLine Election Infrastructure Cybersecurity Tabletop Exercise Series

Join our FirstLine team for a dynamic Election Infrastructure Cybersecurity Tabletop Exercise!

This event is designed to bring together elections officials, IT teams, law enforcement, and other key personnel to walk through realistic scenarios and strengthen coordinated responses to cyber and physical security threats.

Don’t miss this chance to improve your cybersecurity posture and resilience!

Where Can I Join?

  • Jacksonville – June 9
  • Gainesville – June 11
  • Orlando – June 16
  • Sarasota – June 18
  • Panama City Beach – July 8
  • Tallahassee – July 10

Dates are subject to change. If updates are made, notifications will be sent by email to registrants.

Is This Event for You?

This tabletop exercise series is designed for professionals who understand election processes or support them, as well as those responsible for protecting systems, data, and public trust. If you’re involved in planning, incident response, or decision-making in these areas, this is the event for you.

Election Leadership & Administration

  • Supervisors of Elections (SOEs)
  • Assistant SOEs
  • Chief Deputy SOEs
  • Deputy Directors of Voter Services

IT & Systems Personnel (with Elections Focus)

  • IT & Election Systems Supervisors
  • Elections IT
  • IT Analysts / Coordinators
  • IT Managers

Cybersecurity & Risk Management

  • Cybersecurity Manager
  • Sr. Cybersecurity Manager
  • Cybersecurity Community Operations
  • IT Security Administrators
  • Digital Forensics / Incident Response Roles

Law Enforcement & Public Safety Leadership

  • Detectives / Investigators
  • Crime Intelligence Analysts
FirstLine Election Infrastructure Cybersecurity Tabletop Exercise Series2025-05-01T15:23:25-04:00

Cybersecurity Fundamentals for Florida Manufacturers: FloridaMakes Webinar

This webinar will cover how to plan a simple roadmap and additional recommendations for getting started defending your company from Cybersecurity attacks.

For FloridaMakes clients working with Defense customers, provided is an overview of the Department of Defense Cybersecurity Maturity Model Certification (CMMC) program, and recommendations for getting started and achieving this critical compliance requirement.

Speakers will present the no-cost programs and services available to Florida companies, including the Critical Infrastructure Risk Assessment.

The presentation will conclude with next steps and additional resources to get you on a path toward CMMC compliance.

Finally, extra time will be allocated for a robust Q&A starting with a review of the concerns posed at the prior webinar.

Key Takeaways:        

  • Briefly review the key concepts of cybersecurity, CMMC Level 1 and Level 2, DIB, FCRA and other pertinent acronyms;
  • Resume learning the roadmap for starting a Cybersecurity practice if you don’t already have one;
  • Overview and key steps for achieving CMMC compliance for Defense suppliers;
  • No-cost resources provided by Cyber Florida, including the Critical Infrastructure Risk Assessment.
Cybersecurity Fundamentals for Florida Manufacturers: FloridaMakes Webinar2025-04-14T11:18:32-04:00

FEMA Offering “Recovering From Cybersecurity Incidents” Course in March

This 16-hour course provides guidance on building and executing a robust cybersecurity incident recovery program, covering both pre- and post-incident stages. It bridges IT and emergency management to help government, critical infrastructure, and private-sector personnel effectively respond to and recover from cyber disruptions.

Through interactive discussion and practical exercises, participants will learn best practices and tactical strategies for restoring operations following a cyber-attack. By the end of this course, you’ll be equipped to strengthen organizational resilience, manage cyber incidents more effectively, and build an action plan for continued readiness.

As part of a Department of Homeland Security/Federal Emergency Management Agency (DHS/FEMA) cooperative agreement training program, this course is available at no direct cost to state, county, and local government agencies.

Key Topics Include:

  • Understanding essential cyber terminology and the cyber incident life cycle
  • Recognizing threat levels and exploring emergency management practices
  • Examining the recovery continuum and government’s role in cybersecurity
  • Integrating cyber into the Incident Command System (ICS)
  • Leveraging federal resources and key programmatic elements that drive successful recovery
  • Learning how to plan, organize, equip, train, and exercise for cyber incidents
  • Implementing short-term and long-term recovery actions
  • Building a cyber incident recovery action plan tailored to your organization’s needs

Suggested Audience

  • Government and private sector IT staff
  • Local administrators and upper-level management personnel
  • System administration
  • Risk management personnel
  • Local government administration
  • Emergency management coordinators

Upon successful completion, you will be able to:

  • Describe fundamental concepts and resources related to cyber incident recovery.
  • Examine recovery preparedness for cybersecurity incidents.
  • Examine tactical, short-term and strategic, long-term recovery operations for cybersecurity incidents.
  • Produce a cyber incident recovery action plan based on the scenario information provided.

Enrollment Requirements

Participants must be U.S. citizens. A FEMA Student ID is required to register for and participate in any training provided by FEMA agencies. All FEMA training providers, registration systems, and enrollment procedures are required to use this FEMA SID, which can be obtained at the following website: https://cdp.dhs.gov/femasidopens in a new tab; or with TEEX assistance upon arrival for class.

FEMA Offering “Recovering From Cybersecurity Incidents” Course in March2025-04-14T11:18:58-04:00

Unlocking Potential: The Critical Role of Basic Research in Cybersecurity

This webinar will underscore the crucial role of basic research in driving cybersecurity innovation from a multidisciplinary perspective and raise awareness within the academic community about UC2’s interest in partnering to fund groundbreaking basic research in cybersecurity.

With a welcome introduction by National Defense University’s President, VADM Peter A. Garvin, USN, guest speakers from Space Force, Air Force and Minerva Research Initiative will address cyber strategy for Space Force, levels of basic research and technological applications, research requirements, future-focused discussions, and human-centered needs.

Speakers:

  • Lt Col Marouane Balmakhtar, Space Force
  • Dr. Lisa Bellamy, Senior Program Development Manager, AFCYBER/TD
  • Dr. Gregory Ruark, Program Manager, Dynamical Influences on Social Systems, Humans in Complex Systems Competency, Army Program Manager, Minerva Research Initiative DEVCOM ARL Army Research Office

Register today to join this conversation about the transformative potential of basic research in cybersecurity and discover exciting opportunities for academic partnerships with UC2.

Communication, Collaboration and Access: UC2 aims to fill this gap through its mission of increasing communication, collaboration, and access. UC2 funds basic and applied research. With a strong focus on partnerships, UC2 measures the impact of collaboration. UC2 believes that partnership will influence how research is transferred into the hands of users and also the DoD challenges are transferred back to the academic teams who can address them.

Unlocking Potential: The Critical Role of Basic Research in Cybersecurity2025-04-14T11:19:20-04:00

SparkRAT: A Multi-Platform Remote Access Tool

I. Targeted Entities

  • Industries: Any (Opportunistic)
  • Operating Systems: Windows, macOS, and Linux

II. Introduction

Written primarily in Golang, SparkRAT is a feature-rich, multi-platform Remote Administration Tool (RAT) that allows for the granular control of infected devices via web interface [11]. It was first published on GitHub in March of 2022 by elusive, Chinese-speaking developer XZB-1248. However, the project went largely unnoticed until gaining steady popularity in early 2023. Since then, the tool has been observed in numerous threat campaigns, including those carried out by cybercriminal groups Winnti and DragonSpark, as well as its involvement in the Hello Kitty and TellYouThePass ransomware attacks [6].

Like most Remote Access Toolkits, SparkRAT has been widely leveraged by threat actors for post-exploitation operations, typically being installed after the payload delivery and initial compromise. Most notably, the tool has been used in conjunction with several critical vulnerability exploits: CVE-2023-46604, CVE-2024-27198, and CVE-2024-43451 [1][3][4]. After a period of dormancy, SparkRAT resurfaced in January, with security researchers at Hunt.io detecting new C2 servers and hints of a possible DPRK campaign targeting macOS users [7].

III. SparkRAT Observed in DPRK Campaign

In a Twitter post by threat intelligence expert, Germán Fernández (@1ZRR4H) back in November 2024, a cyber espionage campaign attributed to the North Korean government was revealed, targeting macOS users and government organizations [5]. The threat actors behind this operation were reportedly distributing SparkRAT agents via fake online meeting platforms. Upon further investigation, researchers at Hunt.io and Cato Networks have recently identified additional C2 servers in South Korea and Singapore [2]. The findings suggest that this campaign is still active, although with a slight change in strategy and payload delivery method.

Interestingly, these uncovered C2 server domains were found to have open directories containing SparkRAT implants and bash scripts. Below are screenshots of an exposed directory and the content of its hosted scripts.

Screenshot of hxxps://gmcomamz[.]site/dev (Source: Hunt.io)

Curl results from hxxps://gmcomamz[.]site/dev/dev.sh

The bash script above downloads the Mach-O binary file (client.bin) from the hosting domain (updatetiker[.]site), saves it as “pull.bin” to the /Users/shared directory, changes its permissions to allow reading, writing, and execution by all system users, and runs the file as a background process. This is typical behavior of malware hosting servers.

The behavior of the test.sh script is similar, however, it points to another domain which has also been found to host SparkRAT agents (clients):

Curl results from hxxps://gmcomamz[.]site/dev/test.sh

IV. SparkRAT Analysis

SparkRAT Web Interface

Accessed through a browser, the SparkRAT Web UI provides an overview of active remote sessions along with system information of each connected machine. In addition to the basic operations listed below, the tool’s interface comes with several additional capabilities such as viewing a live instance of the victim’s screen, taking screenshots, and remote shutdown.

Client Creation

Generate Client creates an executable file that, when executed on a target machine, will create a backdoor connection with the associated C2 system. Clients can be customized to point to different hosts, connect over a specified port, and run on different operating systems (Windows, macOS/Darwin, and Linux).

Remote Terminal Window

As one would expect, the Terminal feature allows for attackers to execute commands on a target machine via a web-based PowerShell GUI. If used in combination with remote privilege escalation, attackers can carry out system-level operations like disabling the firewall, modifying registry keys, and disabling antivirus software.

Process Manager

The Process feature lists all running processes as well as the ability to stop them. This can be used to terminate security/monitoring software.

File Manager Tool

Explorer allows attackers to enumerate, create, and delete files/directories on the target system. It also allows files/directories to be downloaded to the attacker’s local machine or uploaded to the target machine.

Wireshark capture showing initial client-C2 communication

In this exchange, captured shortly after the execution of a SparkRAT agent, the target system sends a request to upgrade its connection to use the WebSocket protocol. A WebSocket handshake over port 8000 is a key characteristic of SparkRAT command-and-control (C2) traffic.

Client POST Request to update SparkRAT version

Following the WebSocket handshake, the target system sends a POST request with the commit query parameter storing the current version of the tool. This enables the RAT to automatically upgrade itself to the latest version available on the C2 server [10]. It is also worth noting the unusual User-Agent string as well as the JSON return value indicating that this client is using the latest SparkRAT version that the server can offer.

V. MITRE ATT&CK

  • T1059 – Command and Scripting Interpreter
    Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms.
  • T1571 – Non-Standard Port
    Adversaries may communicate using a protocol and port pairing that are typically not associated.
  • T1005 – Data from Local System
    Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
  • T1071.001 – Application Layer Protocol: Web Protocols (C2)
    Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Protocols such as HTTP/S and WebSocket that carry web traffic may be very common in environments.
  • T1105 – Ingress Tool Transfer (C2)
    Adversaries may transfer tools or other files from an external system into a compromised environment.
  • T1573.001 – Symmetric Cryptography (C2)
    Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.
  • T1082 – System Information Discovery
    An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
  • T1083 – File and Directory Discovery
    Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
  • T1106 – Native API
    Adversaries may interact with the native OS application programming interface (API) to execute behaviors.

VI. Indicators of Compromise (IOCs)

As is the case with most open-source malware toolkits, the list of IOCs associated with SparkRAT activity is extensive. Currently, the project’s GitHub repository has over 500 forks and 16,000 latest-release downloads, indicating that the tool is likely adapted for use in the development of custom malware (all of which would have their own IOCs). Below are the most recent and most frequently observed SparkRAT IOCs.

Type Indicator
SHA-256 Hashes fcf9b70253437c56bb00315da859ce8e40d6410ec405c1473b374359d5277209

3bfb4f5c328d57b647ba81045eae223ff292f0caa216fee97e98127b2934c6b0

cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56

9c4d6d66dcef74f4a6ce82369830a4df914becd7eb543bdcc5d339b7b3db254b

cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56

52277d43d2f5e8fa8c856e1c098a1ff260a956f0598e16c8fb1b38e3a9374d15

ffe4cfde23a1ef557f7dc56f53b3713d8faa9e47ae6562b61ffa1887e5d2d56e

065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

f015f91722c57cdb7ee61d947fb83f395d342e3d36159f7a470e23b6c03681bf

5802d266c6fd8f45323b7d86d670059f1bd98de42a173fbc2ac66399b9783713
Associated Filenames msoia.exe

client.bin

client.exe

3261cbac9f0ad69dd805bfd875eb0161.exe

one68_1_1.0.apk
IPs 67.217.62[.]106

152.32.138[.]108

15.235.130[.]160

118.194.249[.]38

51.79.218[.]159

37.230.62[.]73
Domains gsoonmann[.]site

gmnormails[.]site

gmoonsom[.]site

nasanecesoi[.]site

gmoocsoom[.]site

gmcomamz[.]site

namerowem[.]site

gmoosomnoem[.]site

mncomgom[.]site

ggnmcomas[.]site

updatetiker[.]net

updatetiker[.]site

gomncomow[.]site

gooczmmnc[.]site

gnmoommle[.]space

one68[.]top

remote[.]henh247[.]net

remote[.]henho247[.]net

VII. Recommendations

Exercise Good Cyber Hygiene – The easiest, most effective way to prevent system compromise via Remote Access Trojans like SparkRAT is to simply practice good cyber hygiene. This includes not opening unknown files, being suspicious of email attachments from untrusted sources, avoiding downloading software from unofficial websites, and regularly updating operating systems.

Isolated Virus Scans – Performing a malware detection scan (via crowdsourced tools like VirusTotal or antivirus software like Microsoft Defender’s custom scan option) on an untrusted file before executing it can be an easy way to verify its legitimacy. Fortunately, most AV solutions are privy to common SparkRAT indicators and will prevent infected files from executing. However, custom malware leveraging the tool may go undetected. If further analysis is required, it is advised to run any suspected file within a sandbox environment to examine its behavior.

Update Virus Signatures – Ensuring that endpoint solutions and antivirus software are up to date with the latest virus signatures is crucial for detecting and quarantining known variations of SparkRAT malware. Signature databases used by AV software are typically populated with new signatures when applying the latest security patches. For this reason, it is recommended to frequently update (daily) or configure automatic system/application updates.

Active Network Monitoring – A system infected with SparkRAT malware establishes a connection to its C2 server via WebSocket, a web-based application protocol that enables full-duplex communication between client and server [8]. Though sometimes used by legitimate software, such as instant messengers and multiplayer games, the use of this protocol over port 8000 (the default port for SparkRAT agents) could be a strong indicator of SparkRAT activity. To detect this traffic, network monitoring and deep packet inspection tools can be deployed to look for abnormal connections over port 8000, WebSocket handshakes by unknown applications, and JSON error messages indicative of SparkRAT C2.

Stay Informed – As SparkRAT gains traction, it is likely to be featured in future malware campaigns. Thankfully, threat hunters and intelligence agencies are vigilantly discovering and sharing IOCs linked to the tool. Engaging with threat intel networks and staying aware of new SparkRAT trends will allow for better preparation of systems and aid in detection efforts of emerging threats.

VIII. References

[1] Arctic Wolf. (November 3, 2023). Exploitation of CVE-2023-46604 in Apache ActiveMQ Leads to TellYouThePass Ransomware. https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/

[2] Bittner, D. (Jan 29, 2025). Cats and RATS are all the rage. https://thecyberwire.com/podcasts/daily-podcast/2234/transcript

[3] Broadcom (January 31, 2025). SparkRAT – a cross-platform modular malware. https://www.broadcom.com/support/security-center/protection-bulletin/sparkrat-a-cross-platform-modular-malware

[4] ClearSky (November 13, 2024). CVE-2024-43451: A New Zero-Day Vulnerability Exploited in the wild. https://www.clearskysec.com/0d-vulnerability-exploited-in-the_wild/

[5] Fernández, G. (Nov 27, 2024). SparkRAT: Server Detection, macOS Activity, and Malicious Connections. https://x.com/1ZRR4H/status/1861667506328334589/

[6] Fortinet. (February 13, 2024). Threat Coverage: How FortiEDR protects against SparkRAT activity. https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-SparkRAT-activity/ta-p/299271

[7] Hunt.io. (Jan 28, 2025). SparkRAT: Server Detection, macOS Activity, and Malicious Connections. https://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections

[8] IETF. (Dec 2011). The WebSocket Protocol. https://datatracker.ietf.org/doc/html/rfc6455

[9] Mishra, A. (Jan 29, 2025). Hackers Attacking Windows, macOS, and Linux systems With SparkRAT. https://gbhackers.com/hackers-attacking-windows-macos-and-linux-systems/

[10] SentinelLabs. (Jan 24, 2023) DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation. https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/

[11] XZB-1248. (Mar 16, 2022). SparkRAT GitHub Repository. https://github.com/XZB-1248/Spark

Additional Resources

[12] Open Threat Exchange. “SparkRAT”. https://otx.alienvault.com/browse/global/pulses?q=SparkRAT&include_inactive=0&sort=-modified&page=1&limit=10&indicatorsSearch=SparkRAT

[13] Malpedia. “SparkRAT”. https://malpedia.caad.fkie.fraunhofer.de/details/win.spark_rat

[14] ThreatFox. SparkRAT IOCs. https://threatfox.abuse.ch/browse/malware/win.spark_rat/

[15] Hybrid Analysis. client.bin Sandbox Report. https://www.hybrid-analysis.com/sample/cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56

[16] VirusTotal. client.bin Scan. https://www.virustotal.com/gui/file/cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56

Threat Advisory created by The Cyber Florida Security Operations Center.

Contributing Security Analyst(s): Isaac Ward

SparkRAT: A Multi-Platform Remote Access Tool2025-03-04T14:33:16-05:00

chat:CYBR Podcast Episode 9: June Teufel Dreyer

In this episode of chat:CYBR, Dr. June Teufel Dreyer discusses the evolving military strategy of China under Xi Jinping, focusing on their expanding military capabilities, particularly in cyber warfare. She highlights the implications of China’s actions in the Baltic Sea regarding fiber optic cables and the potential threats to global communications. The discussion also covers the cybersecurity landscape, emphasizing the need for the U.S. to adopt robust policies to counter China’s cyber threats. Dr. Dreyer concludes with thoughts on the importance of STEM education and the balance between

chat:CYBR Podcast Episode 9: June Teufel Dreyer2025-02-18T12:18:22-05:00

CONTACT US

Cyber Florida at USF
4202 E. Fowler Avenue, ISA7020
Tampa, FL 33620

Office meetings by appointment only

PRIVACY POLICY

Copyright 2024 The Florida Center for Cybersecurity at the University of South Florida. Information on this website is made available for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney or cybersecurity professional with sufficient expertise necessary to address your specific needs. Use of this website does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.