A China-linked cyberespionage group known as 'FamousSparrow' was observed using a new modular version of its signature backdoor 'SparrowDoor' against a US-based trade organization. In the attacks observed by the researchers, ShadowPad was loaded via DLL side-loading using a renamed Microsoft Office IME executable, injected into the Windows media player (wmplayer.exe) process, and connected to a known C2 server associated with the RAT. The first is similar to a backdoor Trend Micro attributed to 'Earth Estries,' featuring better code quality, improved architecture, encrypted configuration, persistence mechanisms, and stealthy command-and-control (C2) switching. Another interesting finding in ESET's report is FamousSparrow's use of ShadowPad, a versatile modular remote access trojan (RAT) associated with several Chinese APTs. The activity and new malware version were observed by security researchers at ESET, who found evidence the threat actor has been more active than initially thought since its last operations were exposed in 2022. Apart from the financial organization, other recent attacks ESET uncovered and linked to FamousSparrow include a Mexican research institute and a government institution in Honduras. "Both versions of SparrowDoor used in this campaign constitute considerable advances in code quality and architecture compared to older ones," reads the ESET report. ESET notes that Microsoft groups FamousSparrow, GhostEmperor, and Earth Estries under one threat cluster they call Salt Typhoon. ESET explains these overlaps as signs of a shared third-party supplier, aka a "digital quartermaster," that hides behind and supports all these Chinese threat groups. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. A key new feature that applies to both new versions is parallel command execution, where the backdoor can continue listening for incoming commands and processing them while it executes previous ones. ESET's investigation actually uncovered two new versions of the SparrowDoor backdoor. The most recent variant constitutes the most significant updates, as it's a modular backdoor featuring a plugin-based architecture. In all these cases, initial access was achieved via exploitation of outdated Microsoft Exchange and Windows Server endpoints, infecting them with webshells. This indicates that FamousSparrow may now have access to high-tier Chinese cyber tools, like other state-sponsored actors. Given the lack of technical evidence to support this, ESET tracks them as distinct groups.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 27 Mar 2025 18:40:22 +0000