New FamousSparrow Malware Targets Hotels and Engineering Firms with Custom Backdoor

ESET researchers have uncovered new activity from the China-aligned APT group FamousSparrow, revealing two previously undocumented versions of their custom SparrowDoor backdoor.

The group, thought to be inactive since 2022, compromised a US-based trade organization in the financial sector and a Mexican research institute in July 2024.

The first variant closely resembles the CrowDoor malware attributed to Earth Estries, while the second introduces a modular architecture.

Both versions demonstrate significant advancements in code quality and implement command parallelization, allowing for simultaneous execution of time-consuming operations.

Expanded Toolkit and Infrastructure

FamousSparrow’s arsenal now includes ShadowPad, a privately sold backdoor typically associated with China-aligned threat actors.

The group utilized a mix of custom and publicly available tools, including PowerHub for post-exploitation and BadPotato for privilege escalation.

The attackers initially deployed an ASHX webshell on compromised IIS servers, likely exploiting vulnerabilities in outdated ...