- ESET researchers discovered that FamousSparrow compromised a trade group in the financial sector in the United States, a research institute in Mexico, and a governmental institution in Honduras.
- FamousSparrow, a China-aligned Advanced Persistent Threat (APT) group, deployed two previously undocumented versions of the SparrowDoor backdoor.
- Both versions constitute considerable progress over previous iterations and implement parallelization of commands.
- The APT group was also, for the first time, observed using the ShadowPad backdoor.
MONTREAL, BRATISLAVA — March 26, 2025 — ESET Research investigated suspicious activity on the network of a trade group in the United States that operates in the financial sector. While helping the affected entity remediate the compromise, ESET made an unexpected discovery in the victim’s system: malicious tools belonging to FamousSparrow, a China-aligned APT group. The group was thought to be inactive, as there had been no publicly documented activity by FamousSparrow since 2022. The ESET investigation shows that FamousSparrow was not only still active during this period, but that it must have also been developing its toolset, since the compromised network revealed not one, but two previously undocumented versions of SparrowDoor, FamousSparrow’s flagship backdoor.
ESET Research uncovered additional activity by the group during the 2022-2024 period, including the targeting of a governmental institution in Honduras. Furthermore, ESET discovered that, as part of this campaign, the threat actor managed to breach a research institute in Mexico just a couple of days prior to the compromise in the U.S. — both of which were compromised in late June 2024. Both of these versions of SparrowDoor constitute marked progress over earlier iterations, especially in terms of code quality and architecture, and one implements parallelization of commands.
“While these new versions exhibit significant upgrades, they can still be traced back directly to earlier, publicly documented versions. The loaders used in these attacks also present substantial code overlaps with samples previously attributed to FamousSparrow,” says ESET researcher Alexandre Côté Cyr, who made the discovery.
In order to gain initial access to the affected network, FamousSparrow deployed a webshell on an IIS server. While ESET was unable to determine the exact exploit used to deploy the webshells, both victims were running outdated versions of Windows Server and Microsoft Exchange, for which there are several publicly available exploits.
As for the toolset used in the campaign, the threat actor employed a mix of custom tools and malware along with those shared by China-aligned APT groups, as well as from publicly available sources. The final payloads were backdoors SparrowDoor and ShadowPad. Among them were plugins capable of running commands, file system operations, keylogging, transferring files, listing and killing processes, monitoring file system changes, and taking screenshots.
In September 2024, the Wall Street Journal published an article reporting that internet service providers in the United States had been compromised by a threat actor named Salt Typhoon. The article relays claims by Microsoft that this threat actor is the same as FamousSparrow and GhostEmperor.
“It was the first public report that conflates the latter two groups. However, we see GhostEmperor and FamousSparrow as two distinct groups. There are few overlaps between the two but many discrepancies. Based on our data and analysis of the publicly available reports, FamousSparrow appears to be its own distinct cluster with loose links to the others,” explains Côté Cyr.
FamousSparrow is a cyberespionage group that has been active since at least 2019. ESET Research first publicly documented the group in a 2021 blogpost when it observed it exploiting the ProxyLogon vulnerability. The group was initially known for targeting hotels around the world but has also targeted governments, international organizations, engineering companies, and law firms. FamousSparrow is the only known user of the SparrowDoor backdoor.
For a more detailed analysis and technical breakdown of the FamousSparrow toolset, check out the ESET Research blogpost “You will always remember this as the day you finally caught FamousSparrow” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.
Overview of the compromise chain used in this FamousSparrow campaign
About ESET
ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown— securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts and blogs.