FamousSparrow Deploys New SparrowDoor Variants and ShadowPad in Cyber Attacks on U.S. and Mexico

The Chinese-linked threat actor known as FamousSparrow has resurfaced in a new cyber campaign targeting a U.S. trade organization and a Mexican research institute, deploying its signature SparrowDoor backdoor and, for the first time, the widely used ShadowPad malware.

This activity, observed in July 2024, marks a significant evolution in the group’s tactics and tools, reflecting continued development and operational capability.

Who Is FamousSparrow?

FamousSparrow is an advanced persistent threat (APT) group first identified by cybersecurity firm ESET in 2021. The group has been linked to cyberattacks against hotels, law firms, engineering companies, and government entities, leveraging a custom backdoor known as SparrowDoor.

Although the group shares some tactical similarities with other known Chinese-linked clusters such as Earth Estries, GhostEmperor, and Salt Typhoon (associated with telecom sector intrusions), ESET treats FamousSparrow as a distinct threat actor. The overlap appears to stem from shared tools such as Crowdoor and HemiGate, but operational behavior remains sufficiently unique.

Attack Chain and Infection Method

ESET's latest analysis highlights an attack chain that begins with compromised web servers running outdated versions of Windows Server and Microsoft Exchange Server. The threat actor installs a web shell on an IIS (Internet Information Services) server to establish initial access.

From there, the attacker:

1. Downloads a batch script from a remote command server.

2. The script executes a Base64-encoded .NET web shell, hidden within the payload.

3. The web shell is used to deploy two key implants:

   • A new modular version of SparrowDoor, and

   • ShadowPad, a backdoor commonly used by other Chinese APT groups.

Evolution of SparrowDoor

The campaign introduces two previously undocumented versions of SparrowDoor, each showcasing significant technical improvements over prior variants:

1. Improved Standard Version

This version includes features inspired by Crowdoor but incorporates enhancements such as:

• Parallel execution of commands, allowing simultaneous handling of file operations and shell sessions.

• Thread-based task execution, where each thread establishes a new connection to the C&C (Command-and-Control) server.

• Ability to associate a unique victim ID and command ID for tracking multiple concurrent operations.

The backdoor supports a wide range of commands:

• Launching interactive shell sessions

• Starting proxies

• File and directory manipulation

• Host reconnaissance

• Self-uninstallation

2. Modular SparrowDoor Variant

The second version adopts a plugin-based architecture, offering greater flexibility and scalability. It includes nine distinct modules:

Introduction of ShadowPad

The campaign also marks the first use of ShadowPad by FamousSparrow. ShadowPad is a modular malware platform widely used by multiple Chinese APT groups. Its integration into the group’s toolset suggests potential collaboration or shared resources with other China-aligned operations.

The adoption of ShadowPad further aligns FamousSparrow with the broader Chinese cyber espionage ecosystem, reinforcing concerns about state-sponsored support and shared infrastructure among threat actors.

Conclusion: Continued Threat from Evolving APTs

The latest activity by FamousSparrow underscores the ongoing threat posed by Chinese-linked APT groups, especially those capable of combining custom implants with shared offensive tools like ShadowPad. By leveraging modular backdoors, thread-based execution, and advanced command tracking, FamousSparrow is demonstrating its ability to adapt and scale its operations against international targets.

Security professionals are advised to:

• Keep server software and Exchange instances fully patched

• Monitor for web shell activity and unauthorized script execution

• Use threat intelligence feeds to track evolving APT toolsets