The cyber threat group FamousSparrow has resurfaced in a coordinated set of attacks targeting a U.S. trade organization and a Mexican research institution.
This time, they’re wielding two advanced versions of their signature malware, SparrowDoor, and, for the first time, deploying the notorious ShadowPad tool a favourite among Chinese state-aligned groups.
These fresh developments signal not just the persistence of this group but also their evolving sophistication.
According to a new analysis by cybersecurity firm ESET, these latest variants demonstrate a significant technical leap in how the malware executes commands, manages system interaction, and maintains stealth within infected environments.
From Espionage to Innovation: Who Is Famous Sparrow?
FamousSparrow has been active since at least 2021, primarily targeting the hospitality sector, law firms, governments, and engineering firms.
While researchers have noted tactical overlaps with groups like GhostEmperor, Salt Typhoon, and Earth Estries, FamousSparrow is believed to function independently though it shares certain infrastructure and malware design concepts with those clusters.
Their signature tool, SparrowDoor, has remained unique to the group. However, their use of ShadowPad in this new campaign raises questions about cross-group tool sharing within China’s cyber espionage ecosystem.
How the Latest Attack Worked
A Quiet Entry Point: Outdated Servers
The campaign, first observed in July 2024, took advantage of vulnerable, unpatched Windows Server and Microsoft Exchange installations.
Though the initial access vector hasn’t been fully identified, investigators traced the foothold back to a web shell deployed on an IIS server.
From there, a remote batch script was pulled down and executed, which embedded a Base64-encoded .NET shell. This shell acted as the dropper for both SparrowDoor and ShadowPad payloads.
Inside SparrowDoor’s New Capabilities
Variant One: Smarter, Faster, More Interactive
The first variant is a refined version of the original SparrowDoor with several enhancements, including:
- Parallel command execution — the malware can now run multiple tasks at the same time
- Improved communication with the command-and-control (C2) server
- Thread-based architecture that spins off new connections per task, allowing better management of system instructions
This means the backdoor no longer pauses while waiting for one command to finish — it can read files, send data, and respond to the attacker’s inputs all at once.
Real-Time Instruction Handling
“Each new command spins up a thread and connects to the C2 server with a unique command ID and victim ID,” explained ESET’s researcher Alexandre Côté Cyr.
This allows the attacker to track which commands belong to which infected system, improving stealth and control during large-scale espionage operations.
Variant Two: A Modular Powerhouse
Introducing a Plugin-Based Structure
The second variant is even more impressive. It breaks from the monolithic design of traditional backdoors and instead adopts a modular format.
Think of it as a Swiss Army knife, where only the necessary tools are activated based on the attacker’s needs.
These nine modules each serve specific purposes:
| Module | Functionality |
| Cmd | Run single shell commands |
| CFile | File operations (read, write, delete) |
| CKeylogPlug | Record every keystroke typed |
| CSocket | Act as a TCP proxy |
| CShell | Launch an interactive shell for live commands |
| CTransf | Move files to or from the infected host |
| CRdp | Take screenshots |
| CPro | List and kill running processes |
| CFileMoniter | Watch file changes in selected folders |
This modular approach not only boosts stealth but also makes updates and retooling easier, allowing FamousSparrow to evolve without rewriting entire payloads.
ShadowPad Joins the Party
A Tool with a Shadowy Past
ShadowPad is one of the most widely used backdoors by Chinese APTs and has previously been seen in operations against telecom, transportation, and industrial targets.
Its presence in this campaign marks the first time FamousSparrow has used it, suggesting either a new partnership or deeper alignment with nation-state infrastructure.
What Makes These Attacks So Dangerous?
Multi-threaded, Modular, and Difficult to Detect
The enhancements seen in these new SparrowDoor variants make detection harder on multiple fronts:
- Thread-based execution avoids delays and limits detection windows
- Modular payloads reduce system footprint
- The use of legitimate services like IIS for initial access helps blend into normal traffic
- Interaction with C2 infrastructure is discreet and encrypted
Combined, these techniques allow FamousSparrow to stay hidden longer, collect more data, and pivot laterally inside compromised networks without being spotted.
What Can Organizations Do to Defend Themselves?
Actionable Defense Steps
If you’re managing IT infrastructure in any sector, especially if you operate Exchange Servers or IIS environments, take these actions immediately:
- Patch all outdated systems, including Windows Server and Exchange
- Restrict access to IIS servers and monitor web shell activity
- Implement behavioral endpoint detection, not just signature-based AV
- Track and log batch script execution, especially from unknown sources
- Use network segmentation to contain potential lateral movement
- Monitor connections to unknown IPs, especially if threads behave like C2 traffic
Why This Matters Now
This campaign is more than just another cyber incident, it’s a signal of evolution. The use of ShadowPad and the shift to modular, multi-threaded backdoors mark a new era of efficiency and stealth in Chinese cyber operations.,
These aren’t “spray-and-pray” attacks. They’re deliberate, high-value, and methodically crafted.
FAQs
Who is FamousSparrow?
FamousSparrow is a cyber espionage group linked to China, known for using the custom backdoor SparrowDoor and now ShadowPad.
What is SparrowDoor?
SparrowDoor is a backdoor malware that allows attackers to execute commands, manage files, take screenshots, and more , now available in modular and multi-threaded versions.
What is ShadowPad?
ShadowPad is an advanced malware platform used by multiple Chinese APTs. It allows for remote control and data theft through a modular architecture.
What made this attack successful?
Attackers targeted outdated software (Exchange and Windows Server), deployed stealthy web shells, and used enhanced backdoor variants that are difficult to detect.
How can I detect SparrowDoor?
Monitor for batch scripts from unknown sources, suspicious .NET behaviour, and thread-heavy system activity. Use network traffic analysis for C2 communications.
Is this part of a larger campaign?
Possibly. The use of ShadowPad suggests collaboration or resource sharing across Chinese APTs, which may signal coordinated efforts targeting critical organizations globally.
