China's FamousSparrow flies back, breaches US org : Crew also cooked up two fresh SparrowDoor backdoor variants, says ESET

FamousSparrow’s back from the shadows—hitting U.S. finance, Mexico’s research sector, and even Honduras gov systems. China’s cyber spies don’t sleep, they upgrade.
#FamousSparrow
#CyberEspionage
#ChinaHacks
#DigitalThreats www.theregister.com/2025/03/27/c...

China’s FamousSparrow APT Hits United States Via SparrowDoor Malware  A China-linked cyberespionage gang known as 'FamousSparrow' was caught utilising a new modular version of its signature backdoor 'SparrowDoor' against a US-based trade organisation. Security experts at ESET spotted the activities and new malware version, uncovering evidence that the attacker has been more active than previously anticipated since its last operations were reported in 2022.  Apart from the financial organisation, ESET identified and linked further recent attacks to FamousSparrow, including a Mexican research facility and a Honduran government entity. In all of these incidents, initial access was acquired by exploiting obsolete Microsoft Exchange and Windows Server endpoints and infecting them with webshells.  New modular SparrowDoor ESET's investigation revealed two new variants of the SparrowDoor backdoor. The first is identical to a backdoor credited to 'Earth Estries,' with enhanced code quality, architecture, encrypted configuration, persistence methods, and stealthy command-and-control (C2) switching. A critical new feature that applies to both new versions is parallel command execution, which allows the backdoor to continue listening for and processing incoming commands while executing prior ones.  "Both versions of SparrowDoor used in this campaign constitute considerable advances in code quality and architecture compared to older ones," reads the ESET report. "The most significant change is the parallelization of time-consuming commands, such as file I/O and the interactive shell. This allows the backdoor to continue handling new commands while those tasks are performed.”  The latest version, which is a modular backdoor with a plugin-based architecture, includes the most significant modifications. Its operating capabilities can be expanded while staying covert and undetectable by receiving additional plugins from the C2 at runtime, which are fully loaded in memory.  ShadowPad link  Another notable finding in ESET's analysis is FamousSparrow's use of ShadowPad, a sophisticated modular remote access trojan (RAT) linked to various Chinese APTs. In the attacks seen by the researchers, ShadowPad was loaded via DLL side-loading from a renamed Microsoft Office IME executable, injected into the Windows media player (wmplayer.exe) process, and linked to a known C2 server associated with the RAT. This suggests that FamousSparrow, like other state-sponsored entities, may now have access to advanced Chinese cyber tools. According to ESET, Microsoft classifies Earth Estries, GhostEmperor, and FamousSparrow under a single threat cluster they refer to as Salt Typhoon. ESET tracks them as separate categories because there isn't any technical evidence to support this. It acknowledges, meanwhile, that their tools share code, exploitation strategies, and some infrastructure reuse.  These overlaps, according to ESET, are indicators of a common third-party supplier, sometimes known as a "digital quartermaster," who supports and lurks behind all of these Chinese attack groups.

China’s FamousSparrow APT Hits United States Via SparrowDoor Malware #ChineseHacker #CyberAttacks #FamousSparrow

China’s FamousSparrow APT Hits Americas with SparrowDoor Malware Follow us on Bluesky, Twitter (X), Mastodon and Facebook at @Hackread

China-linked APT group #FamousSparrow (aka Salt Typhoon) has resurfaced, targeting the US and LATAM orgs with an upgraded version of #SparrowDoor malware.

Read: hackread.com/china-famous...

#CyberSecurity #CyberAttack #SaltTyphoon #China #LATAM

Banda de Hackers Chinos FamousSparrow, despliegan Malware Mejorado en sus Nuevos Ataques - CIBERNINJAS Un grupo de ciberespionaje vinculado a China (conocidos como FamousSparrow) ha comenzado a desplegar una versión modular mejorada de su puerta trasera

💻 Banda de Hackers Chinos FamousSparrow, despliegan Malware Mejorado en sus Nuevos Ataques ciberninjas.com/famoussparro...

#FamousSparrow #HackersChinos #Malware #Ciberseguridad #Cibercriminales #Ciberataques #Tecnología #SeguridadInformática

Chinese Spy Group FamousSparrow Back with a Vengeance, Targets US Once considered inactive, the Chinese cyber espionage group FamousSparrow has reemerged, targeting organizations across the US, Mexico and Honduras

中国スパイ集団フェイマス・スパロウが復讐のために復活、米国を標的に

Chinese Spy Group FamousSparrow Back with a Vengeance, Targets US #InfosecutityMagazine (Mar 27)

#FamousSparrow #SparrowDoor #APTグループ #サイバースパイ #サイバーセキュリティ

Chinese FamousSparrow hackers deploy upgraded malware in attacks A China-linked cyberespionage group known as 'FamousSparrow' was observed using a new modular version of its signature backdoor 'SparrowDoor' against a US-based trade organization.

中国のFamousSparrowハッカーが攻撃にアップグレードしたマルウェアを展開

Chinese FamousSparrow hackers deploy upgraded malware in attacks #BleepingComputer (Mar 27)

#FamousSparrow #サイバースパイ #SparrowDoor #マルウェア #サイバーセキュリティ

Famous Sparrow APT Group: Enhanced Cyber Arsenal and Global Threats | The DefendOps Diaries Explore the enhanced cyber arsenal of the Famous Sparrow APT group and their global threat impact.

Famous Sparrow APT Group: Enhanced Cyber Arsenal and Global Threats

#famoussparrow
#aptgroup
#cyberespionage
#shadowpad
#cybersecurity

FamousSparrow Returns with Two New Versions of Their Signature SparrowDoor Backdoor FamousSparrow reemerges after a three-year hiatus, deploying two previously undocumented versions of the group’s specific backdoor.

The inactive China-linked group FamousSparrow has returned to cybercrime with two new versions of its old backdoor, SparrowDoor.

#FamousSparrow #Sparrowdoor #Backdoor #APT #SaltTyphoon #EarthEstries

New SparrowDoor Backdoor Variants Uncovered | FamousSparrow FamousSparrow APT group deploys new SparrowDoor backdoor variants in targeted cyberattacks on U.S. and Mexican organizations. Discover how

🚨 Cyber Alert: FamousSparrow APT Group Resurfaces!
Two new variants of the SparrowDoor

👉 technijian.com/cyber-securi...

#CyberSecurity #Malware #FamousSparrow #APTThreat #SparrowDoor #ShadowPad #Technijian #InfoSec #CyberAttack #DataBreach #ThreatIntelligence #CISO #IncidentResponse #HackingNews

12/ #Cybersecurity #InfoSec #DataBreach #Ransomware #ThreatIntelligence #DataPrivacy #ZeroDay #FamousSparrow #RedCurl #StreamElements #Chrome #SecurityNews #CybersecurityThreats #InfoSecurity #CyberAttack #DataSecurity #PrivacyMatters #SaltTyphoon #CriticalInfrastructure #Cybercrime #ThreatActor

ESET: #FamousSparrow =\= Salt Typhoon

Microsoft: #SaltTyphoon = Famous Sparrow, #GhostEmperor

Trend Micro: #EarthEstries = Salt Typhoon

The rest of the world: ❔🤔❔🤷🏻😅 I guess they're all the same???

#threatintel

You will always remember this as the day you finally caught FamousSparrow ESET researchers uncover the toolset used by the FamousSparrow APT group, including two undocumented versions of the group’s signature backdoor, SparrowDoor.

In July 2024, #ESETresearch discovered that the China-aligned #FamousSparrow APT group, thought at the time to have been inactive since 2022, compromised the network of a US trade group and a Mexican research institute. www.welivesecurity.com/en/eset-rese... 1/5

Oddly enough, I can't find a single detailed source linking #FamousSparrow and #GhostEmperor together aside from a couple of Xeets and the MSFT Threat Naming blog linking those entities together to #SaltTyphoon. It seems we've really embraced that link but documented evidence is THIN.