Chinese Hacking Group FamousSparrow Expands Arsenal with New SparrowDoor Variants and ShadowPad

The Chinese cyber espionage group FamousSparrow has been linked to attacks targeting a U.S. trade organization and a Mexican research institute, deploying its custom SparrowDoor backdoor alongside ShadowPad, a tool commonly used by Chinese state-sponsored actors

  Asia Cyber affairs News   Mar 27, 2025  Add to Reading List
Chinese Hacking Group FamousSparrow Expands Arsenal with New SparrowDoor Variants and ShadowPad

The Chinese cyber espionage group FamousSparrow has been linked to attacks targeting a U.S. trade organization and a Mexican research institute, deploying its custom SparrowDoor backdoor alongside ShadowPad, a tool commonly used by Chinese state-sponsored actors.

New Tactics and Advanced Malware

The campaign, observed in July 2024, marks the first documented use of ShadowPad by FamousSparrow. According to cybersecurity firm ESET, which shared its findings with The Hacker News, the hackers introduced two new versions of SparrowDoor, including a modular variant with significant upgrades.

"Both versions represent considerable progress over previous iterations, enabling command parallelization for increased efficiency," ESET researchers noted.

FamousSparrow, first identified in September 2021, has a history of targeting hotels, government entities, law firms, and engineering firms. While some overlaps exist between FamousSparrow and groups like Earth Estries, GhostEmperor, and Salt Typhoon—which have previously targeted telecommunications networks—ESET treats FamousSparrow as a separate entity.

Attack Chain and Exploitation Methods

The hackers infiltrated networks by deploying a web shell on a vulnerable Microsoft IIS server. Although the initial access method remains unknown, both victims were running outdated versions of Windows Server and Microsoft Exchange, leaving them susceptible to exploitation.

From there, a batch script was executed, triggering a Base64-encoded .NET web shell, which in turn installed SparrowDoor and ShadowPad.

ESET noted that the new SparrowDoor versions show similarities to Crowdoor, another malware linked to Chinese cyber operations. The upgraded backdoor now allows for simultaneous execution of multiple commands, improving efficiency in cyber espionage activities.

"When SparrowDoor receives a command, it creates a new thread that establishes a separate connection with the command-and-control (C&C) server," ESET researcher Alexandre Côté Cyr explained.
"This method helps track victim activity and streamline execution."

SparrowDoor’s Capabilities and Modular Features

SparrowDoor provides comprehensive control over compromised systems, enabling attackers to:

  • Create proxies for covert communication

  • Run interactive shell sessions

  • Access, modify, or delete files

  • Map the file system

  • Extract system details

  • Self-uninstall to evade detection

One variant of SparrowDoor also introduced a modular framework, incorporating nine distinct plugins:

  1. Cmd – Executes single commands

  2. CFile – Manages file system operations

  3. CKeylogPlug – Captures keystrokes

  4. CSocket – Launches a TCP proxy

  5. CShell – Initiates interactive shell sessions

  6. CTransf – Transfers files between infected hosts and the C&C server

  7. CRdp – Captures screenshots

  8. CPro – Lists running processes and terminates specific ones

  9. CFileMoniter – Tracks file system changes in selected directories

Continued Evolution of FamousSparrow

ESET’s findings confirm that FamousSparrow remains active and continues to enhance its cyber capabilities, refining SparrowDoor into a more versatile and persistent threat.

"This activity confirms that not only is the group still operational, but it has also been actively refining SparrowDoor, making it more powerful and adaptable," ESET concluded.

The emergence of these advanced tools highlights China’s continued investment in cyber espionage and the persistent threat posed by state-backed hacking groups.