S0543: Spark

Spark is a Windows backdoor documented in ATT&CK and linked through ATT&CK relationships to Molerats usage. Its mapped behaviors matter because they combine stealth, host discovery, command execution, web-based command-and-control, and exfiltration over that same channel. For leaders, the decision value is not the malware name alone; it is whether Windows endpoint and network defenses can prove visibility into packed malware, command shell abuse, encoded web traffic, and data leaving through C2-like web communications.

Executive priority

Treat Spark as a coverage validation case for Windows backdoor readiness. Ask whether the organization can show evidence for endpoint execution, outbound web protocol monitoring, and investigation workflows that connect discovery activity to possible exfiltration. This is relevant to incident response readiness, managed detection quality, audit evidence for monitoring controls, and prioritizing investments where encrypted or encoded web traffic and endpoint command-line telemetry are blind spots.

Technical view

ATT&CK does not provide a detection section for Spark, so defenders should validate coverage from its relationships: Software Packing, System Owner/User Discovery, Exfiltration Over C2 Channel, Windows Command Shell, Web Protocols, Standard Encoding, Deobfuscate/Decode Files or Information, User Activity Based Checks, System Information Discovery, and System Language Discovery. SOC teams should correlate Windows process execution, command-line activity, suspicious discovery commands or API-driven host/user enumeration, packed or obfuscated executable characteristics, decoding/deobfuscation behavior, and outbound web protocol sessions carrying encoded data. Because several behaviors are common in legitimate administration and software, detection should rely on correlation, endpoint context, destination reputation/context, unusual parent-child process chains, and data movement patterns rather than single indicators.

Likely telemetry

Windows endpoint process creation and command-line telemetry, especially command shell invocation and parent-child process context
Endpoint file and executable metadata relevant to packed, compressed, encrypted, or otherwise obfuscated binaries
Endpoint behavior telemetry for host, user, system information, and system language discovery
Telemetry showing decoding or deobfuscation activity on files or data before execution or communication
Web proxy, firewall, or network security logs for outbound HTTP/S or other web protocol sessions

Detection direction

Do not depend on signatures alone; the mapped Software Packing behavior indicates that file signatures may be intentionally changed or concealed.
Tune for correlated sequences: packed or suspicious executable on Windows, discovery of user/system/language details, command shell execution, then outbound web protocol communication.
Review visibility into encoded web traffic. Standard encoding can make payload content harder to inspect, and normal web traffic creates high false-positive potential.
Validate that sandbox and malware analysis workflows account for user-activity checks that may alter behavior in analysis environments.
Separate legitimate administration from suspicious activity by using baselines, process lineage, user context, destination context, and whether discovery activity is followed by external communications or data transfer.

Mitigation priorities

Prioritize Windows endpoint visibility and control for unknown or packed executables, including execution policy and application control where operationally feasible.
Reduce command shell abuse opportunities through least privilege, administrative control review, and monitoring of command-line execution on high-value systems.
Constrain and monitor outbound web traffic so unusual destinations, encoded payload patterns, and data transfer over C2-like channels are reviewable.
Ensure incident response playbooks collect endpoint, process, file, and network artifacts needed to investigate discovery-to-C2-to-exfiltration sequences.
Use threat-informed validation to test whether SOC processes can detect the mapped ATT&CK behaviors without relying on a Spark-specific signature.

Analyst notes and limits

The strongest ATT&CK-supported points are that Spark is a Windows backdoor, has been in use since at least 2017, is associated by ATT&CK relationship with Molerats, and uses the listed techniques. The external reference title mentions delivery to government and telecommunications organizations, but this take does not infer current targeting or exposure. Coverage should be assessed through the behavior relationships, not through the malware name alone.

Official ATT&CK detection guidance for Spark is not provided, and the malware object itself lists Windows as the platform with no tactics specified. Technique relationship descriptions include broader platforms, but those should not be interpreted as Spark platform support beyond Windows. Local environment telemetry, control configuration, and incident evidence are required to determine actual risk and detection coverage.

Official MITRE ATT&CK definition

Spark

Spark is a Windows backdoor and has been in use since as early as 2017.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 10 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1027.002	Software Packing Sub-technique	Spark has been packed with Enigma Protector to obfuscate its contents.CitationUnit42 Molerat Mar 2020
Enterprise	T1614.001	System Language Discovery Sub-technique	Spark has checked the results of the `GetKeyboardLayoutList` and the language name returned by `GetLocaleInfoA` to make sure they contain the word “Arabic” before executing.CitationUnit42 Molerat Mar 2020
Enterprise	T1059.003	Windows Command Shell Sub-technique	Spark can use cmd.exe to run commands.CitationUnit42 Molerat Mar 2020
Enterprise	T1132.001	Standard Encoding Sub-technique	Spark has encoded communications with the C2 server with base64.CitationUnit42 Molerat Mar 2020
Enterprise	T1082	System Information Discovery	Spark can collect the hostname, keyboard layout, and language from the system.CitationUnit42 Molerat Mar 2020
Enterprise	T1497.002	User Activity Based Checks Sub-technique	Spark has used a splash screen to check whether an user actively clicks on the screen before running malicious code.CitationUnit42 Molerat Mar 2020
Enterprise	T1033	System Owner/User Discovery	Spark has run the whoami command and has a built-in command to identify the user logged in.CitationUnit42 Molerat Mar 2020
Enterprise	T1140	Deobfuscate/Decode Files or Information	Spark has used a custom XOR algorithm to decrypt the payload.CitationUnit42 Molerat Mar 2020
Enterprise	T1041	Exfiltration Over C2 Channel	Spark has exfiltrated data over the C2 channel.CitationUnit42 Molerat Mar 2020
Enterprise	T1071.001	Web Protocols Sub-technique	Spark has used HTTP POST requests to communicate with its C2 server to receive commands.CitationUnit42 Molerat Mar 2020

Associated objects

Groups, software, and campaigns

G0021: Molerats

Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group's victims have primarily been in the Middle East, Europe, and the United States.[1][2][3][4]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Dec 15, 2020, 01:30 UTC (UTC+00:00)
Modified: Apr 25, 2025, 14:42 UTC (UTC+00:00)
Raw hash: 45baa69d6dfea043...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	Apr 25, 2025, 14:42 UTC (UTC+00:00)	Current bundle	`45baa69d6dfe…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Unit42 Molerat Mar 2020

Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
Open source URL
[2]
Spark

(Citation: Unit42 Molerat Mar 2020)
[3]
mitre-attack S0543
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams