Chasing an Angry Spark
In spring 2022, a highly sophisticated backdoor named AngrySpark was discovered on a single machine in the United Kingdom. The malware employed a three-stage architecture: a DLL masquerading as a Windows Task Scheduler component, a custom virtual machine interpreter running bytecode instructions, and a beacon that profiles systems while disguising C2 communications as PNG image requests. The malware featured VM-based obfuscation, dual encrypted C2 channels using RSA-4096 and XXTEA encryption, direct syscalls bypassing usermode hooks, hypervisor detection, and CET-aware anti-analysis capabilities. It operated for approximately one year with active maintenance visible through syscall table updates and configuration changes between May 2022 and January 2023. The infrastructure expired in mid-2023 and the operation ceased, with no additional samples or victims identified despite the significant engineering effort invested in its development.
AI Analysis
Technical Summary
AngrySpark is a backdoor malware campaign identified on a single UK machine in 2022. It employs a multi-stage infection chain: a DLL posing as a Windows Task Scheduler component, a custom virtual machine interpreter executing obfuscated bytecode, and a beacon that profiles infected systems while hiding C2 traffic as PNG image requests. The malware uses strong cryptographic protections (RSA-4096 and XXTEA) for its dual C2 channels, direct syscalls to evade usermode hooks, and advanced anti-analysis techniques including hypervisor detection and CET awareness. The campaign was maintained for about a year with active updates to syscall tables and configurations. The infrastructure was decommissioned in mid-2023, and no further infections or samples have been found. Indicators include multiple domains, IPs, hashes, and URLs linked to the campaign.
Potential Impact
The malware enables persistent backdoor access with sophisticated evasion and anti-analysis capabilities. It can profile infected systems and maintain stealthy communications with its C2 infrastructure. However, its impact was limited to a single known victim in the United Kingdom. The operation ceased after infrastructure expiration in mid-2023, and no further infections have been identified. There are no known exploits in the wild beyond this isolated case.
Mitigation Recommendations
No official patch or remediation is available as this is malware rather than a software vulnerability. The campaign has ceased following infrastructure expiration in mid-2023. Organizations should use the provided indicators of compromise (domains, IPs, hashes, URLs) to detect any potential remnants or related activity. Standard malware detection and incident response procedures apply. Patch status is not applicable. Monitor for any resurgence or new samples referencing AngrySpark.
Indicators of Compromise
- domain: storewebzone.net
- domain: server-sys.com
- ip: 185.151.31.111
- hash: 068ab3cb0f28916ea64c27ea58a680c8
- hash: 44a77bc78986f910d98491c0006b7be5
- hash: 592d663ad71575e4c52e0c810008c3c2
- hash: cc32c78022525f12f5f407f0e1291003
- hash: 20f19a37e17772c38b6f89af40fa941d55bad9ffcf3b3382206a0cadfa937025
- hash: 491870264fa2d666fb8859508a6a44b80bcb868e2f43c00f03199df2651c757d
- hash: 96883abd45eca3f076f1d5e2a9e75e37b588a37a99fe42ec4bedd34f7926760e
- hash: 9c492a39823aa0ff14f3131a2346f833827a1c423e77dcc9682bb939aea0e215
- ip: 185.151.31.6
- url: https://pick.storewebzone.net/assets/static/img/I4o8Pp_41.png
- url: https://pick.storewebzone.net/prod/vUcLWuZF/8363/asb2dz_1dd4.php
- domain: comp.id
- domain: pick.storewebzone.net
- domain: s13035516.server-sys.com
Chasing an Angry Spark
Description
In spring 2022, a highly sophisticated backdoor named AngrySpark was discovered on a single machine in the United Kingdom. The malware employed a three-stage architecture: a DLL masquerading as a Windows Task Scheduler component, a custom virtual machine interpreter running bytecode instructions, and a beacon that profiles systems while disguising C2 communications as PNG image requests. The malware featured VM-based obfuscation, dual encrypted C2 channels using RSA-4096 and XXTEA encryption, direct syscalls bypassing usermode hooks, hypervisor detection, and CET-aware anti-analysis capabilities. It operated for approximately one year with active maintenance visible through syscall table updates and configuration changes between May 2022 and January 2023. The infrastructure expired in mid-2023 and the operation ceased, with no additional samples or victims identified despite the significant engineering effort invested in its development.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
AngrySpark is a backdoor malware campaign identified on a single UK machine in 2022. It employs a multi-stage infection chain: a DLL posing as a Windows Task Scheduler component, a custom virtual machine interpreter executing obfuscated bytecode, and a beacon that profiles infected systems while hiding C2 traffic as PNG image requests. The malware uses strong cryptographic protections (RSA-4096 and XXTEA) for its dual C2 channels, direct syscalls to evade usermode hooks, and advanced anti-analysis techniques including hypervisor detection and CET awareness. The campaign was maintained for about a year with active updates to syscall tables and configurations. The infrastructure was decommissioned in mid-2023, and no further infections or samples have been found. Indicators include multiple domains, IPs, hashes, and URLs linked to the campaign.
Potential Impact
The malware enables persistent backdoor access with sophisticated evasion and anti-analysis capabilities. It can profile infected systems and maintain stealthy communications with its C2 infrastructure. However, its impact was limited to a single known victim in the United Kingdom. The operation ceased after infrastructure expiration in mid-2023, and no further infections have been identified. There are no known exploits in the wild beyond this isolated case.
Mitigation Recommendations
No official patch or remediation is available as this is malware rather than a software vulnerability. The campaign has ceased following infrastructure expiration in mid-2023. Organizations should use the provided indicators of compromise (domains, IPs, hashes, URLs) to detect any potential remnants or related activity. Standard malware detection and incident response procedures apply. Patch status is not applicable. Monitor for any resurgence or new samples referencing AngrySpark.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.gendigital.com/blog/insights/research/chasing-an-angry-spark"]
- Adversary
- null
- Pulse Id
- 69df58b30a6bddb6a202695c
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainstorewebzone.net | — | |
domainserver-sys.com | — | |
domaincomp.id | — | |
domainpick.storewebzone.net | — | |
domains13035516.server-sys.com | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip185.151.31.111 | — | |
ip185.151.31.6 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash068ab3cb0f28916ea64c27ea58a680c8 | — | |
hash44a77bc78986f910d98491c0006b7be5 | — | |
hash592d663ad71575e4c52e0c810008c3c2 | — | |
hashcc32c78022525f12f5f407f0e1291003 | — | |
hash20f19a37e17772c38b6f89af40fa941d55bad9ffcf3b3382206a0cadfa937025 | — | |
hash491870264fa2d666fb8859508a6a44b80bcb868e2f43c00f03199df2651c757d | — | |
hash96883abd45eca3f076f1d5e2a9e75e37b588a37a99fe42ec4bedd34f7926760e | — | |
hash9c492a39823aa0ff14f3131a2346f833827a1c423e77dcc9682bb939aea0e215 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://pick.storewebzone.net/assets/static/img/I4o8Pp_41.png | — | |
urlhttps://pick.storewebzone.net/prod/vUcLWuZF/8363/asb2dz_1dd4.php | — |
Threat ID: 69dfcba782d89c981f8345df
Added to database: 4/15/2026, 5:32:23 PM
Last enriched: 4/15/2026, 5:47:13 PM
Last updated: 5/31/2026, 1:12:50 AM
Views: 176
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.