The analysis of the StreamSpy Trojan, attributed to the Mahabusa group (also known as APT-Q-36), reveals its innovative use of WebSocket for communication, marking a significant evolution in its attack methodology. This group has been active for over a decade, with a focus on cyber espionage directed at various sectors in the Asian region, including government, military, energy, industrial, research, education, diplomacy, and economic organizations. StreamSpy leverages the WebSocket protocol to maintain persistent and real-time communication with its command and control (C2) servers, which allows for dynamic and covert data extraction. This technique presents advantages over traditional HTTP-based communications by facilitating a two-way interactive channel capable of bypassing certain network defenses. The use of WebSocket can also make traffic patterns harder to detect, increasing the malware's stealth and operational longevity.