ESET Research has uncovered renewed cyberespionage activity linked to FamousSparrow, a China-aligned advanced persistent threat (APT) group previously thought to be inactive. The discovery was made during an investigation into suspicious network activity at a trade organisation in the United States financial sector. While assisting with remediation, ESET researchers uncovered two previously undocumented variants of SparrowDoor, the group’s custom backdoor.
This marked the first public sign of FamousSparrow activity since 2022, revealing that not only was the group still operational, but it had also continued to improve its capabilities. According to ESET, both new versions of SparrowDoor showed significant improvements in code quality and design. One of the variants introduced parallel execution of commands, a first for this malware family.
The campaign was not limited to the United States. ESET’s investigation found that the same threat actor had also compromised a governmental institution in Honduras and a research institute in Mexico, both in late June 2024. The timing of the attacks suggests a coordinated campaign across multiple regions.
ESET researcher Alexandre Côté Cyr, who led the investigation, said, “While these new versions exhibit significant upgrades, they can still be traced back directly to earlier, publicly documented versions. The loaders used in these attacks also present substantial code overlaps with samples previously attributed to FamousSparrow.”
The group initially gained access by deploying a webshell on an IIS server, though the exact exploit remains unknown. Both affected organisations were using outdated versions of Microsoft Exchange and Windows Server, which have several known vulnerabilities that can be exploited to install webshells.
Use of ShadowPad and toolset raises attribution questions
The attackers made use of a combination of custom-built tools and malware shared by other China-aligned APT groups, as well as widely available software. Notably, this campaign marked the first time FamousSparrow was seen using the ShadowPad backdoor. Alongside the new SparrowDoor versions, the payloads delivered in this campaign were capable of performing a wide range of actions—running commands, accessing files, logging keystrokes, transferring data, managing processes, tracking file changes, and capturing screenshots.
In September 2024, a Wall Street Journal report highlighted a breach involving US internet service providers. The article cited Microsoft, which claimed the responsible actor, known as Salt Typhoon, was the same as FamousSparrow and GhostEmperor. ESET disagrees with this assessment. “It was the first public report that conflates the latter two groups. However, we see GhostEmperor and FamousSparrow as two distinct groups. There are few overlaps between the two but many discrepancies. Based on our data and analysis of the publicly available reports, FamousSparrow appears to be its own distinct cluster with loose links to the others,” said Côté Cyr.
FamousSparrow has operated since at least 2019 and was first documented by ESET in 2021 when it was found exploiting the ProxyLogon vulnerability. While it was initially known for targeting hotels around the world, it has since expanded its operations to include government agencies, international organisations, engineering firms and law firms. FamousSparrow remains the only known user of the SparrowDoor backdoor.
ESET has published a full technical breakdown of this campaign on its blog, titled “You will always remember this as the day you finally caught FamousSparrow”, available on WeLiveSecurity.com. The company recommends following ESET Research on X, BlueSky, and Mastodon for ongoing updates.
