Monday, 31 March 2025
25.8 C
Singapore
28.1 C
Thailand
21.4 C
Indonesia
27.7 C
Philippines

China-aligned hacker group FamousSparrow resurfaces in cyberattacks

ESET finds China-linked hacker group FamousSparrow still active with upgraded tools, targeting institutions in the US, Mexico and Honduras.

ESET Research has uncovered renewed cyberespionage activity linked to FamousSparrow, a China-aligned advanced persistent threat (APT) group previously thought to be inactive. The discovery was made during an investigation into suspicious network activity at a trade organisation in the United States financial sector. While assisting with remediation, ESET researchers uncovered two previously undocumented variants of SparrowDoor, the groupโ€™s custom backdoor.

This marked the first public sign of FamousSparrow activity since 2022, revealing that not only was the group still operational, but it had also continued to improve its capabilities. According to ESET, both new versions of SparrowDoor showed significant improvements in code quality and design. One of the variants introduced parallel execution of commands, a first for this malware family.

The campaign was not limited to the United States. ESETโ€™s investigation found that the same threat actor had also compromised a governmental institution in Honduras and a research institute in Mexico, both in late June 2024. The timing of the attacks suggests a coordinated campaign across multiple regions.

ESET researcher Alexandre Cรดtรฉ Cyr, who led the investigation, said, โ€œWhile these new versions exhibit significant upgrades, they can still be traced back directly to earlier, publicly documented versions. The loaders used in these attacks also present substantial code overlaps with samples previously attributed to FamousSparrow.โ€

The group initially gained access by deploying a webshell on an IIS server, though the exact exploit remains unknown. Both affected organisations were using outdated versions of Microsoft Exchange and Windows Server, which have several known vulnerabilities that can be exploited to install webshells.

Use of ShadowPad and toolset raises attribution questions

The attackers made use of a combination of custom-built tools and malware shared by other China-aligned APT groups, as well as widely available software. Notably, this campaign marked the first time FamousSparrow was seen using the ShadowPad backdoor. Alongside the new SparrowDoor versions, the payloads delivered in this campaign were capable of performing a wide range of actionsโ€”running commands, accessing files, logging keystrokes, transferring data, managing processes, tracking file changes, and capturing screenshots.

In September 2024, a Wall Street Journal report highlighted a breach involving US internet service providers. The article cited Microsoft, which claimed the responsible actor, known as Salt Typhoon, was the same as FamousSparrow and GhostEmperor. ESET disagrees with this assessment. โ€œIt was the first public report that conflates the latter two groups. However, we see GhostEmperor and FamousSparrow as two distinct groups. There are few overlaps between the two but many discrepancies. Based on our data and analysis of the publicly available reports, FamousSparrow appears to be its own distinct cluster with loose links to the others,โ€ said Cรดtรฉ Cyr.

FamousSparrow has operated since at least 2019 and was first documented by ESET in 2021 when it was found exploiting the ProxyLogon vulnerability. While it was initially known for targeting hotels around the world, it has since expanded its operations to include government agencies, international organisations, engineering firms and law firms. FamousSparrow remains the only known user of the SparrowDoor backdoor.

ESET has published a full technical breakdown of this campaign on its blog, titled โ€œYou will always remember this as the day you finally caught FamousSparrowโ€, available on WeLiveSecurity.com. The company recommends following ESET Research on X, BlueSky, and Mastodon for ongoing updates.

Hot this week

Golf-tech platform Deemples launches in Thailand to strengthen Southeast Asia network

Deemples, Southeast Asiaโ€™s largest golf platform, expands into Thailand to connect regional golfers and support growing golf tourism.

Owndays and Huawei launch new titanium smart audio glasses

Owndays and Huawei launch the Eyewear 2 Smart Audio Glasses Titanium Edition, featuring Bluetooth 5.3, 11-hour playback, and a premium frame.

RedCurl group linked to new ransomware strain in first documented attack

Bitdefender uncovers RedCurl's first ransomware campaign, revealing QWCrypt's unique tactics and the group's evolving cyber threat model.

Samsung Galaxy S26 Ultra may reintroduce variable aperture lens and drop a camera

The Samsung Galaxy S26 Ultra may feature a variable-aperture camera, a bigger battery, and a redesigned camera setup with one fewer zoom lens.

Samsung’s smart glasses could arrive before the end of 2025

Samsung is reportedly developing smart glasses, codenamed Haean, with AR and gesture controls, set to launch by late 2025.

Microsoft removes Windows 11 loophole for skipping account setup

Microsoft is blocking a well-known workaround that lets you set up Windows 11 without a Microsoft account, enforcing stricter installation rules.

Samsungโ€™s latest vacuum alerts you to calls and texts while you clean

Samsungโ€™s new Bespoke AI Jet Ultra vacuum can alert you to calls and texts while cleaning as the brand expands smart home screens across appliances.

Fujifilm unveils GFX100RF: A 102MP medium format compact camera

Fujifilm announces the GFX100RF, a 102MP medium-format compact camera. It is available for pre-order at S$7,999, and early buyers will receive free gifts.

Google Pixel 9a arrives in Singapore this April for S$799

The Google Pixel 9a launches in Singapore in April 2025 with a Tensor G4 chip, 48MP camera, and seven years of updates, starting at S$799.

Related Articles