Sunday, 20 April 2025
26.2 C
Singapore
29.5 C
Thailand
20.1 C
Indonesia
29 C
Philippines

China-aligned hacker group FamousSparrow resurfaces in cyberattacks

ESET finds China-linked hacker group FamousSparrow still active with upgraded tools, targeting institutions in the US, Mexico and Honduras.

ESET Research has uncovered renewed cyberespionage activity linked to FamousSparrow, a China-aligned advanced persistent threat (APT) group previously thought to be inactive. The discovery was made during an investigation into suspicious network activity at a trade organisation in the United States financial sector. While assisting with remediation, ESET researchers uncovered two previously undocumented variants of SparrowDoor, the group’s custom backdoor.

This marked the first public sign of FamousSparrow activity since 2022, revealing that not only was the group still operational, but it had also continued to improve its capabilities. According to ESET, both new versions of SparrowDoor showed significant improvements in code quality and design. One of the variants introduced parallel execution of commands, a first for this malware family.

The campaign was not limited to the United States. ESET’s investigation found that the same threat actor had also compromised a governmental institution in Honduras and a research institute in Mexico, both in late June 2024. The timing of the attacks suggests a coordinated campaign across multiple regions.

ESET researcher Alexandre Côté Cyr, who led the investigation, said, “While these new versions exhibit significant upgrades, they can still be traced back directly to earlier, publicly documented versions. The loaders used in these attacks also present substantial code overlaps with samples previously attributed to FamousSparrow.”

The group initially gained access by deploying a webshell on an IIS server, though the exact exploit remains unknown. Both affected organisations were using outdated versions of Microsoft Exchange and Windows Server, which have several known vulnerabilities that can be exploited to install webshells.

Use of ShadowPad and toolset raises attribution questions

The attackers made use of a combination of custom-built tools and malware shared by other China-aligned APT groups, as well as widely available software. Notably, this campaign marked the first time FamousSparrow was seen using the ShadowPad backdoor. Alongside the new SparrowDoor versions, the payloads delivered in this campaign were capable of performing a wide range of actions—running commands, accessing files, logging keystrokes, transferring data, managing processes, tracking file changes, and capturing screenshots.

In September 2024, a Wall Street Journal report highlighted a breach involving US internet service providers. The article cited Microsoft, which claimed the responsible actor, known as Salt Typhoon, was the same as FamousSparrow and GhostEmperor. ESET disagrees with this assessment. “It was the first public report that conflates the latter two groups. However, we see GhostEmperor and FamousSparrow as two distinct groups. There are few overlaps between the two but many discrepancies. Based on our data and analysis of the publicly available reports, FamousSparrow appears to be its own distinct cluster with loose links to the others,” said Côté Cyr.

FamousSparrow has operated since at least 2019 and was first documented by ESET in 2021 when it was found exploiting the ProxyLogon vulnerability. While it was initially known for targeting hotels around the world, it has since expanded its operations to include government agencies, international organisations, engineering firms and law firms. FamousSparrow remains the only known user of the SparrowDoor backdoor.

ESET has published a full technical breakdown of this campaign on its blog, titled “You will always remember this as the day you finally caught FamousSparrow”, available on WeLiveSecurity.com. The company recommends following ESET Research on X, BlueSky, and Mastodon for ongoing updates.

Hot this week

Vertex Growth invests €10M in Dolphin Semiconductor to support global expansion

Vertex Growth commits €10M to Dolphin Semiconductor, boosting R&D and expansion, with a focus on market growth in Asia and beyond.

Johnson Controls study highlights OpenBlue platform’s ROI and energy savings for buildings

Johnson Controls' OpenBlue delivers up to 155% ROI, energy savings and smarter real estate decisions through AI-powered building insights.

YouTube launches free AI tool to help you create background music

YouTube introduces a free AI tool in the Creator Music section that lets you create copyright-free background music using simple prompts.

Garmin launches Varia Vue, its first cycling headlight with 4K camera

Garmin’s new Varia Vue headlight features a 4K camera and smart lighting to boost cycling safety and visibility on the road.

Semperis: Lessons from the HomeTeamNS ransomware attack

Semperis shares key lessons from the HomeTeamNS ransomware attack and how organisations can defend against evolving cyber threats.

AMD’s RX 9070 GRE leak could bring welcome news for gamers

Leaked AMD’s RX 9070 GRE specs suggest a strong mid-range GPU with 12GB memory and fast clocks, perfect for modern gamers.

Intel’s new CEO reshapes leadership, promotes AI chief and plans closer work with engineers

Intel CEO Lip-Bu Tan is reshaping leadership, promoting a new AI chief, and aiming for a leaner, more engineering-driven company.

Apple’s iPhone sales drop in China amid growing trade tensions

Apple’s iPhone sales in China fell 9% as local brands grew, and trade tensions created more uncertainty for the smartphone market.

ASUS and Hatsune Miku team up for colourful new gaming gear

ASUS and Hatsune Miku join forces to launch a vibrant limited-edition gaming gear set, arriving in Singapore this June.

Related Articles

Popular Categories