According to researchers at SentinelLabs, a Chinese threat actor tracked as DragonSpark has been stealing sensitive data from compromised systems around East Asia. The main access vector for the threat group is vulnerable MySQL web servers and other endpoints which they access via deploying webshells through SQL injection, cross-site scripting, or web server vulnerabilities. After access is gained, the DragonSpark will then deploy SparkRAT, a open-source tool that can run on Windows, MacOS, and Linux. The tool supports 26 different commands that can be used to communicate with a Command and Control (C2) server that is set up by the threat actors. After SparkRAT is deployed, DragonSpark then uses a custom Golang interpreter, that is delivered via SparkRAT. The interpreter is known by the filename that attackers use for it, m6699[.]exe, and its hash (14ebbed449ccedac3610618b5265ff803243313d). Besides SparkRAT, ‘DragonSpark’ also uses the SharpToken and BadPotato tools for privilege escalation and the GotoHTTP tool for establishing persistence on the breached system.