To evade detection, hackers use Golang source codes interpreter

One hacking group referred to as DragonSpark in Chinese was discovered using Golang source code interpretation and evading detection when it launched espionage against East Asian organizations.

is tracking the attacks. Their researchers have reported that DragonSpark uses a less-known open-source tool, SparkRAT, to steal data from compromised systems and execute commands. They also perform lateral network movement.

Threat actors use compromised infrastructure in China and Taiwan to launch attacks. SentinelLabs has detected a vulnerability in MySQL databases that are online.

SparkRAT wild

Threat actors can access MySQL and web server vulnerable endpoints via webshell deployments using SQL injection, cross site scripting or other web server vulnerabilities.

The attackers then deploy SparkRAT (a Golang-based open source tool) that offers remote access functionality and can be run on Windows, macOS or Linux.

SparkRAT can receive 26 commands from the C2 for the following functions:

  • Remotely execute PowerShell or Windows system commands
  • You can manipulate Windows functions to force restart, shutdown or suspension.
  • Perform file actions like download, upload, or deletion.
  • Capture screenshots or steal system information and send them to C2.

SparkRAT communicates with C2 servers using the WebSocket protocol. It can also automatically update itself by adding new features.

SparkRAT upgrading itself automatically


SparkRAT is not the only tool used by DragonSpark. BadPotato and SharpToken are also available for privilege escalation. GotoHTTP allows for persistence in breached systems.

Code interpretation has many advantages

The campaign’s standout feature is however the Golang source code interpretation used to execute Go scripts in malware binaries.

This Go script opens a reverse shell for threat actors to connect using Metepreter to execute remote code.

A Meterpreter session


The Yaegi framework is used to read the base64 encoded embedded source code that was stored in the binary during execution. To avoid static analysis, the code can be executed without having to compile it.

The technique can be quite complex, but it is very effective in static analysis. Security software typically only assesses the behavior and not source code.

Golang source code

(Sentinel Labs)

DragonSpark: Who are you?

DragonSpark appears to not have significant overlaps with Chinese-speaking hacking organizations; SentinelLabs gave the group a new name.

The Zegost malware was used to launch the attack. This Zegost malware has been associated historically with advanced persistent threats (APTs) that are espionage-focused in China.

Threat actors around the world use webshell DragonSpark to install malicious software on compromised servers.

DragonSpark also used open-source software developed by Chinese writers, which is a strong indication that threat actors are closely linked to China.

DragonSpark used infected networks in Taiwan and Hong Kong, China and Singapore that belonged to travel agencies and gambling-related businesses, art galleries, schools, and other institutions.