The Chinese state-sponsored advanced persistent threat operation FamousSparrow, which was believed to have gone on a hiatus over the last three years, has returned with attacks on organisations in the U.S., Mexico, and Honduras.

According to research by ESET, due to the lack of activity and public reporting between 2022 and 2024, FamousSparrow was presumed to be inactive. “However, our analysis of the US network compromised in July 2024 revealed two new versions of SparrowDoor, showing that FamousSparrow is still developing its flagship backdoor,” ESET researcher Alexandre Côté Cyr said.

New versions have also been found on a machine in Mexico, while additional activity by the group, including the targeting of a governmental institution in Honduras, was detected.

“This newly found activity indicates that not only is the group still operating, but it was also actively developing new versions of SparrowDoor during this time.”

China Aligned

A China-aligned APT group, active since at least 2019, ESET said the group was initially known for targeting hotels around the world, but has also targeted governments, international organisations, engineering companies, and law firms. 

FamousSparrow is the only known user of the SparrowDoor backdoor. ESET said the newly detected versions of SparrowDoor constitute marked progress over earlier ones, especially in terms of code quality and architecture.

“One of them resembles the backdoor that researchers at Trend Micro called CrowDoor and attributed to the Earth Estries APT group in November 2024. The other is modular and significantly different from all previous versions. This campaign is also the first documented time FamousSparrow used ShadowPad, a privately sold backdoor, known to only be supplied to China-aligned threat actors.”

Considerable Advances

Both versions of SparrowDoor used in this campaign constitute considerable advances in code quality and architecture compared to older ones, Cyr said. “The most significant change is the parallelisation of time-consuming commands, such as file I/O and the interactive shell. This allows the backdoor to continue handling new commands while those tasks are performed. We will explain the procedure later in the blogpost when we discuss the commands in detail.”

In these new attack instances, FamousSparrow exploited Windows Server and Microsoft Exchange vulnerabilities, among other exploits, to facilitate initial network access and the eventual deployment of the popular Chinese malware ShadowPad. This was used for keystroke logging, screenshot capturing, and command execution, as well as updated iterations of its SparrowDoor backdoor tool.

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.