It was observed that the hacker group, which is thought to be of Chinese nationality, known as 'DragonSpark', used the Golang source code to avoid being caught in its attacks against organizations in East Asia.

The attacks are distinguished from the others in that they use the unknown open source SparkRAT and Golang malwares, which makes it difficult to catch. A notable event in attacks is the constant use of SparkRAT for activities such as stealing information, taking control of infected hosts, and running extra PowerShell commands.

Although the factor that motivates the threat element is espionage and cybercrime, the end point it targets is still unknown. DragonSpark's ties to China stem from its use of the China Chopper Web Shell to spread malware, which is used as a common attack path among Chinese cybercriminals. However, the infrastructure for the preparation of the aforementioned cargoes is not only owned by Chinese affiliated companies, but also by some legal companies in Taiwan, Hong Kong and Singapore.

Initial access begins with compromising internet-facing servers and MySQL database servers. Next, authorization escalation and malware distribution are performed using open source tools such as SharpToken, BadPotato, and GotoHTTP.

Hosts are sent remote access Trojan SparkRAT that executes arbitrary code, can run system commands, manipulate file operations, and pull data. Another malware to watch out for is the Golong-based m6699.exe, which is designed to bypass security solutions, execute next steps and communicate with the C2 (Command and Control) server.

Another point that draws the attention of the researchers is that the aforementioned Chinese attackers prefer open source software in these attacks, and SparRAT's rich features and regular updating may be attractive for future cybercrime and criminals.