New SparrowDoor Backdoor Variants Found in Attacks on U.S. and Mexican Organizations
Summary:
The Chinese threat actor FamousSparrow has been observed deploying new variants of its custom SparrowDoor backdoor and, for the first time, the widely shared Chinese state-sponsored malware ShadowPad RAT in attacks targeting a trade group in the United States and a research institute in Mexico during July 2024. ESET researchers identified two previously undocumented and significantly improved variants of SparrowDoor, one of which has a modular plugin-based system supporting 9 different modules:
Security Officer Comments:
The recent activity attributed to FamousSparrow highlights that despite the lack of activity and public reporting between 2022 and 2024, ESET’s analysis of new backdoor variants used to compromise a US network in July 2024 indicates FamousSparrow is still actively investing in the development of their flagship backdoor. The group's adoption of ShadowPad, a tool commonly associated with other Chinese actors, suggests a potential broadening of their capabilities or a deliberate effort to blend in with the wider Chinese-sponsored threat landscape. The likely exploitation of known vulnerabilities in outdated server software emphasizes the critical importance of timely patching and robust security hygiene for organizations to mitigate the risk of similar intrusions. The parallel execution capabilities added to SparrowDoor demonstrate a focus on operational efficiency, allowing the attackers to potentially achieve more within a shorter timeframe.
Suggested Corrections:
IOCs are available here.
Organizations are recommended to update to the latest version of Windows Server and Microsoft Exchange Server to proactively defend against similar attacks.
Organizations can make APT groups’ lives more difficult. Here’s how:
https://thehackernews.com/2025/03/new-sparrowdoor-backdoor-variants-found.html
https://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/
The Chinese threat actor FamousSparrow has been observed deploying new variants of its custom SparrowDoor backdoor and, for the first time, the widely shared Chinese state-sponsored malware ShadowPad RAT in attacks targeting a trade group in the United States and a research institute in Mexico during July 2024. ESET researchers identified two previously undocumented and significantly improved variants of SparrowDoor, one of which has a modular plugin-based system supporting 9 different modules:
- Cmd - Run a single command
- CFile - Perform file system operations
- CKeylogPlug - Log keystrokes
- CSocket - Launch a TCP proxy
- CShell - Start an interactive shell session
- CTransf - Initiate file transfer between the compromised Windows host and the C&C server
- CRdp - Take screenshots
- CPro - List running processes and kill specific ones
- CFileMoniter - Monitor file system changes for specified directories
Security Officer Comments:
The recent activity attributed to FamousSparrow highlights that despite the lack of activity and public reporting between 2022 and 2024, ESET’s analysis of new backdoor variants used to compromise a US network in July 2024 indicates FamousSparrow is still actively investing in the development of their flagship backdoor. The group's adoption of ShadowPad, a tool commonly associated with other Chinese actors, suggests a potential broadening of their capabilities or a deliberate effort to blend in with the wider Chinese-sponsored threat landscape. The likely exploitation of known vulnerabilities in outdated server software emphasizes the critical importance of timely patching and robust security hygiene for organizations to mitigate the risk of similar intrusions. The parallel execution capabilities added to SparrowDoor demonstrate a focus on operational efficiency, allowing the attackers to potentially achieve more within a shorter timeframe.
Suggested Corrections:
IOCs are available here.
Organizations are recommended to update to the latest version of Windows Server and Microsoft Exchange Server to proactively defend against similar attacks.
Organizations can make APT groups’ lives more difficult. Here’s how:
- Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
- Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
- Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
- Incident response and recovery: Regardless of preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.
https://thehackernews.com/2025/03/new-sparrowdoor-backdoor-variants-found.html
https://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/