China’s FamousSparrow APT Hits Americas with SparrowDoor Malware

A recent ESET investigation reveals that China-linked APT group FamousSparrow (also known as Salt Typhoon) has launched a new cyberespionage campaign targeting organizations in the Americas with upgraded versions of its SparrowDoor malware. The campaign, detected in July 2024, compromised a U.S. financial trade group, a Mexican research institute, and a Honduran government institution. Notably, this marks the first documented case of FamousSparrow using ShadowPad, a backdoor exclusively provided to China-aligned threat actors. The attack chain began with webshell deployment on IIS servers, likely exploiting vulnerabilities in outdated Windows Server and Microsoft Exchange systems, followed by privilege escalation and the implementation of a sophisticated “trident loading scheme” to execute SparrowDoor. Though ESET researchers maintain that FamousSparrow is distinct from GhostEmperor and Earth Estries groups, they acknowledge code overlaps that might indicate a shared third-party supplier of digital tools.​​​​​​​​​​​​​​​​