FamousSparrow, a Chinese cyberespionage group, has recently targeted organizations in the U.S., Mexico, and Honduras with upgraded versions of its SparrowDoor backdoor malware. This malware, previously associated with the group since 2019, has evolved with two new versions—one of which is modular. These versions demonstrate substantial improvements, including the ability to execute commands in parallel, enhancing the group’s capacity to control compromised systems efficiently.
The attack chain typically begins with exploiting vulnerabilities in outdated versions of Windows Server and Microsoft Exchange. The group uses custom-made tools, such as web shells and batch scripts, to deploy SparrowDoor and ShadowPad backdoors, which allow them to execute remote commands. These tools enable file transfers, system monitoring, and keylogging, making the malware a potent tool for espionage and data theft.
SparrowDoor’s modular version supports various plugins, such as TCP proxies, interactive shell sessions, and file system operations. These features allow the attackers to execute complex commands and maintain persistence on infected systems. By handling multiple sub-commands simultaneously, the backdoor improves the efficiency of the attackers’ operations, providing them with a range of control options over compromised networks.
FamousSparrow’s activity had been dormant since 2022, but its recent attacks show that the group is still active and evolving its tactics. While often linked with other Chinese state-sponsored groups like GhostEmperor and Earth Estries, ESET treats FamousSparrow as a distinct threat. The group’s targeted attacks against sectors like government, law, and engineering continue, showcasing their ongoing focus on cyber espionage.
