China-linked FamousSparrow APT group resurfaces with enhanced capabilities

ESET investigated suspicious activity on the network of a trade group in the United States that operates in the financial sector. While helping the affected entity remediate the compromise, they made an unexpected discovery in the victim’s system: malicious tools belonging to FamousSparrow, a China-aligned APT group. The group was considered inactive, as there had been no publicly documented activity by FamousSparrow since 2022.

Overview of the compromise chain used in this FamousSparrow campaign. Source: ESET

FamousSparrow is a cyberespionage group that has been active since at least 2019. ESET Research first publicly documented the group in 2021 when it observed it exploiting the ProxyLogon vulnerability. Initially known for targeting hotels worldwide, the group has targeted governments, international organizations, engineering companies, and law firms. FamousSparrow is the only known user of the SparrowDoor backdoor.

The investigation shows that FamousSparrow was not only still active during this period, but that it must have also been developing its toolset, since the compromised network revealed not one, but two previously undocumented versions of SparrowDoor, FamousSparrow’s flagship backdoor.

Researchers uncovered additional activity by the group during the 2022-2024 period, including targeting a governmental institution in Honduras. Furthermore, they discovered that, as part of this campaign, the threat actor managed to breach a research institute in Mexico just a couple of days before the compromise in the U.S. — both of which were compromised in late June 2024. Both of these versions of SparrowDoor constitute marked progress over earlier iterations, especially in terms of code quality and architecture, and one implements parallelization of commands.

“While these new versions exhibit significant upgrades, they can still be traced back directly to earlier, publicly documented versions. The loaders used in these attacks also present substantial code overlaps with samples previously attributed to FamousSparrow,” says ESET researcher Alexandre Côté Cyr, who made the discovery.

FamousSparrow deployed a web shell on an IIS server to gain initial access to the affected network. While ESET could not determine the exact exploit used to deploy the web shells, both victims were running outdated versions of Windows Server and Microsoft Exchange, for which there are several publicly available exploits.

As for the toolset used in the campaign, the threat actor employed a mix of custom tools and malware, those shared by China-aligned APT groups, and from publicly available sources. The final payloads were backdoors SparrowDoor and ShadowPad. Among them were plugins capable of running commands, file system operations, keylogging, transferring files, listing and killing processes, monitoring file system changes, and taking screenshots.

In September 2024, the WSJ published an article (registration required) reporting that internet service providers in the United States had been compromised by a threat actor named Salt Typhoon. The article relays claims by Microsoft that this threat actor is the same as FamousSparrow and GhostEmperor.

“It was the first public report that conflates the latter two groups. However, we see GhostEmperor and FamousSparrow as two distinct groups. There are few overlaps between the two but many discrepancies. Based on our data and analysis of the publicly available reports, FamousSparrow appears to be its own distinct cluster with loose links to the others,” explains Côté Cyr.