Chasing an Angry Spark
Essential information
- Published
- 15/04/2026 09:21
- Modified
- 15/04/2026 17:28
- Tags
- 2026-04-15 angryspark steganography virtual machine obfuscation
- Related entities
- 8 observables, 8 techniques (mitre), 5 others
Description
In spring 2022, a highly sophisticated backdoor named AngrySpark was discovered on a single machine in the United Kingdom. The malware employed a three-stage architecture: a DLL masquerading as a Windows Task Scheduler component, a custom virtual machine interpreter running bytecode instructions, and a beacon that profiles systems while disguising C2 communications as PNG image requests. The malware featured VM-based obfuscation, dual encrypted C2 channels using RSA-4096 and XXTEA encryption, direct syscalls bypassing usermode hooks, hypervisor detection, and CET-aware anti-analysis capabilities. It operated for approximately one year with active maintenance visible through syscall table updates and configuration changes between May 2022 and January 2023. The infrastructure expired in mid-2023 and the operation ceased, with no additional samples or victims identified despite the significant engineering effort invested in its development.