Introduction
The China-aligned hacking group [2] [4] [5] [6] [9], FamousSparrow [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], has resurfaced with an enhanced cyber arsenal, marking a significant development in the cybersecurity landscape. This group, active since at least 2019 [1] [9], has expanded its targeting strategy and upgraded its malware capabilities, posing a renewed threat to various sectors worldwide.
Description
The China-aligned hacking group FamousSparrow has re-emerged after a period of inactivity [5] [9], utilizing an enhanced cyber arsenal that includes upgraded variants of its custom malware, SparrowDoor [1] [2] [3] [4] [6] [7] [9] [10], and for the first time [7], the ShadowPad backdoor [2] [6] [7] [9] [10], which is typically associated with other Chinese advanced persistent threat (APT) groups. Active since at least 2019 [1] [9], FamousSparrow has expanded its targeting strategy to include a diverse range of organizations across multiple sectors, notably compromising a US-based financial-sector trade group and a research institute in Mexico in July 2024. Reports also indicate that the group has targeted a governmental institution in Honduras, along with other unidentified victims [8]. This resurgence of attacks contradicts earlier beliefs that the group had been inactive since 2022.
ESET’s investigation into suspicious activity on the US trade group’s network revealed two previously undocumented versions of SparrowDoor, showcasing significant improvements in code quality and architecture [1] [3] [6] [9]. One variant closely resembles the CrowDoor malware attributed to Earth Estries [2] [6], while the second features a modular design that allows for plugin functionality and supports command parallelization for simultaneous execution of time-consuming operations. Additionally, the attackers executed a ShadowPad loader, previously linked to another Chinese government group [9], APT41 (Wicked Panda) [9], enabling deeper access into compromised systems [9]. This marked the first instance of FamousSparrow utilizing ShadowPad [9], which is believed to be exclusive to China-aligned threat actors.
The group gained initial access to its victims’ networks by deploying an ASHX web shell on compromised Internet Information Services (IIS) servers, exploiting known vulnerabilities in outdated Windows Server and Microsoft Exchange systems [2] [3] [6]. Following this, they established interactive PowerShell sessions for reconnaissance and delivered additional payloads [6], including the backdoors SparrowDoor and ShadowPad [1] [4], which possess capabilities such as command execution, keylogging [1] [3] [4], file exfiltration [3], process management [1], and screenshot capture [1]. The evolution of SparrowDoor includes enhanced persistence mechanisms [2] [6], utilizing both registry Run keys and Windows services [2] [6], along with sophisticated network communication using custom socket classes and RC4 encryption for data transmission [2] [6].
The attack chain involved deploying a web shell on an IIS server [4], which served as a conduit to drop a batch script from a remote server [4]. This script launched a Base64-encoded .NET web shell responsible for deploying the backdoors [4]. ESET’s analysis indicates that FamousSparrow has remained active and is developing its toolset despite a lack of public activity since 2022 [10]. The renewed activity of FamousSparrow underscores the evolving threat landscape and highlights the urgent need for enhanced cybersecurity measures. In September 2024 [1] [4], reports suggested potential connections between FamousSparrow and other threat actors [1] [2] [6], including Earth Estries and GhostEmperor; however, researchers maintain that FamousSparrow represents a distinct cluster with minimal overlap [1] [2] [6], emphasizing the unique nature of its operations and its renewed cyber espionage capabilities. Organizations in targeted sectors are urged to remain vigilant and implement robust security measures against these sophisticated attacks [2] [6].
Conclusion
The resurgence of FamousSparrow highlights the dynamic and evolving nature of cyber threats, emphasizing the need for continuous vigilance and adaptation in cybersecurity strategies. Organizations [2] [5] [6] [7] [9] [10], particularly those in targeted sectors, must enhance their security measures to mitigate the risks posed by such sophisticated attacks. The ongoing development of FamousSparrow’s toolset suggests that similar groups may also be advancing their capabilities, necessitating a proactive approach to cybersecurity to safeguard against future threats.
References
[1] https://www.helpnetsecurity.com/2025/03/26/famoussparrow-cyberespionage-attacks-united-states/
[2] https://gbhackers.com/new-famoussparrow-malware-targets-hotels-and-engineering-firms/
[3] https://www.techradar.com/pro/security/chinese-hackers-famoussparrow-allegedly-target-us-financial-firms
[4] https://codesanitize.com/new-sparrowdoor-backdoor-variants-present-in-assaults-on-u-s-and-mexican-organizations/
[5] https://www.infosecurity-magazine.com/news/chin-famoussparrow-targets-us/
[6] https://codesanitize.com/new-famoussparrow-malware-targets-motels-and-engineering-companies-with-customized-backdoor/
[7] https://thecyberwire.com/podcasts/daily-podcast/2274/transcript
[8] https://cyber.vumetric.com/security-news/2025/03/27/chinas-famoussparrow-flies-back-into-action-breaches-us-org-after-years-off-the-radar/
[9] https://londontribune.co.uk/chinas-famoussparrow-flies-back-into-action-breaches-us-org-after-years-off-the-radar/
[10] https://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/
