{ "Event": { "analysis": "1", "date": "2026-04-14", "extends_uuid": "", "info": "[Threat Intel] Chasing an Angry Spark", "protected": false, "publish_timestamp": "1776682904", "published": true, "threat_level_id": "2", "timestamp": "1776682904", "uuid": "136901c9-7f22-416a-bf1f-c5081e1e9fc3", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#43c8db", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Process Injection - T1055\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#9c8729", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Create or Modify System Process - T1543\"", "relationship_type": "" }, { "colour": "#56c932", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Symmetric Cryptography - T1573.001\"", "relationship_type": "" }, { "colour": "#bb2745", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Standard Encoding - T1132.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#2c1d2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#120044", "local": false, "name": "rectifyq:sub-category=\"intrusion-analysis\"", "relationship_type": "" }, { "colour": "#d92121", "local": false, "name": "rectifyq:target=\"targeted\"", "relationship_type": "" }, { "colour": "#31373d", "local": false, "name": "rectifyq:MY-relevancy=\"not-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776308409", "to_ids": false, "type": "link", "uuid": "d012af2c-2cf3-4ff6-a88a-dfd2bf61a621", "value": "https://www.gendigital.com/blog/insights/research/chasing-an-angry-spark", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776308409", "to_ids": false, "type": "text", "uuid": "736c7cb4-3ec7-4b62-940b-76bc6fb367af", "value": "In spring 2022, a highly sophisticated backdoor named AngrySpark was discovered on a single machine in the United Kingdom. The malware employed a three-stage architecture: a DLL masquerading as a Windows Task Scheduler component, a custom virtual machine interpreter running bytecode instructions, and a beacon that profiles systems while disguising C2 communications as PNG image requests. The malware featured VM-based obfuscation, dual encrypted C2 channels using RSA-4096 and XXTEA encryption, direct syscalls bypassing usermode hooks, hypervisor detection, and CET-aware anti-analysis capabilities. It operated for approximately one year with active maintenance visible through syscall table updates and configuration changes between May 2022 and January 2023. The infrastructure expired in mid-2023 and the operation ceased, with no additional samples or victims identified despite the significant engineering effort invested in its development." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776308409", "to_ids": false, "type": "text", "uuid": "b5b72634-a864-434a-b4b5-cc11827fd187", "value": "Name: Chasing an Angry Spark\nAuthor: AlienVault\nAdversary: \nTags: [\"AngrySpark\", \"virtual machine obfuscation\", \"steganography\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1055\", \"T1106\", \"T1543\", \"T1573.001\", \"T1132.001\", \"T1082\", \"T1497.001\", \"T1140\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656420", "to_ids": true, "type": "domain", "uuid": "d806c3bb-f875-4e4d-bae2-b9c557691881", "value": "storewebzone.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656441", "to_ids": true, "type": "domain", "uuid": "5c34bad0-f5e3-4b6e-9a3d-72584d624dfe", "value": "server-sys.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656463", "to_ids": true, "type": "ip-dst", "uuid": "d8fbc5b4-06dd-46cb-9b6d-17adde121e1a", "value": "185.151.31.111", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:20/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776654492", "to_ids": true, "type": "md5", "uuid": "527ce208-91c6-41f3-a1d7-965894f44d12", "value": "068ab3cb0f28916ea64c27ea58a680c8", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:20/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776654493", "to_ids": true, "type": "md5", "uuid": "af482c60-9964-49a9-ba62-d5bb582e7d8f", "value": "44a77bc78986f910d98491c0006b7be5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:20/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776654494", "to_ids": true, "type": "md5", "uuid": "754643af-7911-49e9-89f5-51798a4b46d0", "value": "592d663ad71575e4c52e0c810008c3c2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:20/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776654495", "to_ids": true, "type": "md5", "uuid": "18c8baf1-3d3d-42c4-b372-012de86f72c2", "value": "cc32c78022525f12f5f407f0e1291003", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:20/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776654495", "to_ids": true, "type": "sha256", "uuid": "fdb14d74-f573-46d8-9c38-35d0b754bc06", "value": "20f19a37e17772c38b6f89af40fa941d55bad9ffcf3b3382206a0cadfa937025", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:20/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776654497", "to_ids": true, "type": "sha256", "uuid": "baf09702-8730-4da3-9e05-5de7fce554ae", "value": "491870264fa2d666fb8859508a6a44b80bcb868e2f43c00f03199df2651c757d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:20/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776654498", "to_ids": true, "type": "sha256", "uuid": "d1b0d961-75ed-4799-b3ed-1e30c76f09dc", "value": "96883abd45eca3f076f1d5e2a9e75e37b588a37a99fe42ec4bedd34f7926760e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:20/04/2026", "deleted": false, "disable_correlation": false, "timestamp": "1776654498", "to_ids": true, "type": "sha256", "uuid": "7d2584af-656f-47ac-b393-fa4f3d46478f", "value": "9c492a39823aa0ff14f3131a2346f833827a1c423e77dcc9682bb939aea0e215", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656484", "to_ids": true, "type": "ip-dst", "uuid": "c88f9c37-6334-4d66-88a3-1dc3640e34c1", "value": "185.151.31.6", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656505", "to_ids": true, "type": "url", "uuid": "b9c479cb-1464-4326-abdf-21c984ae67ab", "value": "https://pick.storewebzone.net/assets/static/img/I4o8Pp_41.png", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656526", "to_ids": true, "type": "url", "uuid": "85bd0840-034b-49e5-839e-28075eae6855", "value": "https://pick.storewebzone.net/prod/vUcLWuZF/8363/asb2dz_1dd4.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656547", "to_ids": true, "type": "domain", "uuid": "35296f59-26d6-4d92-a663-64cf822997e4", "value": "comp.id", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656568", "to_ids": true, "type": "hostname", "uuid": "b8a1abfc-db4b-44bd-88f5-27c6760d0300", "value": "pick.storewebzone.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776656589", "to_ids": true, "type": "hostname", "uuid": "12740086-d6f4-4af8-846d-11d4714752c6", "value": "s13035516.server-sys.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ] } }