China’s FamousSparrow APT Hits Americas with SparrowDoor Malware

A recent investigation by ESET researchers has shed light on the continued activities and evolving toolset of the China-aligned Advanced Persistent Threat (APT) group known as FamousSparrow (aka Salt Typhoon).

The probe, initiated by suspicious activity detected in July 2024 within a United States-based financial trade group, revealed that FamousSparrow has been diligently enhancing its malicious capabilities. Evidence pointed to a concurrent breach of a Mexican research institute and a governmental institution in Honduras, demonstrating the group’s broadening targeting scope.

Also, this campaign marked the first documented instance of FamousSparrow utilizing ShadowPad, a privately distributed backdoor known to be exclusively supplied to threat actors aligned with Chinese interests.

The analysis detailed the deployment of two newly discovered versions of the group’s signature malware, SparrowDoor. One version bears similarity to the “CrowDoor” backdoor, a tool attributed to the Earth Estries APT group by Trend Micro, while the other, a ...