Most notably, researchers found that one version of SparrowDoor is now modular, while another resembles what other security firms have called “CrowDoor” and attributed to the Earth Estries APT group, suggesting potential overlaps between these threat actors. The threat actor has resurfaced with two previously undocumented versions of its signature backdoor, SparrowDoor, targeting organizations in the financial sector and research institutions across multiple countries. The campaign represents a concerning evolution in FamousSparrow’s capabilities, as the group was also observed using ShadowPad for the first time – a privately sold backdoor known to be supplied exclusively to China-aligned threat actors. The discovery highlights how sophisticated APT groups continuously improve their toolsets even during periods of apparent inactivity, reinforcing the need for organizations to maintain robust security measures against evolving threats. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. ESET researchers discovered the malicious activity in July 2024 when investigating suspicious behavior on the system of a US-based trade group operating in the financial sector. Their analysis revealed that FamousSparrow had not only remained active but had been developing its toolset significantly, with marked improvements in code quality and architecture of its flagship backdoor. This architectural change allows the backdoor to continue handling new commands while lengthy operations, such as file I/O and interactive shell sessions, are being processed. When the backdoor receives parallelized commands, it creates a new thread that initiates a separate connection to the command-and-control server. In a recent discovery, cybersecurity experts have identified renewed activity from FamousSparrow, a China-aligned APT group previously thought to be inactive since 2022. The attack chain begins with webshell deployment on outdated IIS or Exchange servers, followed by lateral movement and the installation of the enhanced SparrowDoor variants. This multi-threaded approach represents a sophisticated advancement over previous versions, making the backdoor more efficient and responsive. Tushar is a Cyber security content editor with a passion for creating captivating and informative content.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 28 Mar 2025 11:50:05 +0000