You will always remember this as the day you finally caught FamousSparrow
March 26, 2025, 8:51 p.m.
Description
ESET researchers uncovered new activity by the FamousSparrow APT group, including two undocumented versions of their SparrowDoor backdoor. The group compromised a US financial sector trade group and a Mexican research institute in July 2024. The new SparrowDoor versions show significant improvements in code quality and architecture, implementing command parallelization. FamousSparrow also used the ShadowPad backdoor for the first time. The analysis revealed links between FamousSparrow and other China-aligned threat actors like Earth Estries. The group's continued development of tools during a period of apparent inactivity suggests they remained active but undetected from 2022 to 2024.
Tags
Date
- Created: March 26, 2025, 8:15 p.m.
- Published: March 26, 2025, 8:15 p.m.
- Modified: March 26, 2025, 8:51 p.m.
Indicators
- e0ff727c5feb3352f0bb6df91bcf2b3100203e5777c8b49b3913fcec0dbbd260
- d53346b5c8c6c76e7bc0407410a58328a1e214a4d359e558380963d29a35f71b
- 90af57e976aea91030579b9761e5265251986b707550ca1b793191e2818bad92
- 8dfaa1f579de14bca8bb27c54a57dd87646a835969766ca9ddb81ecd9329f4e4
- 773635768e738bec776dfd7504164b3596e5eee344757dd1ac9a1ad19b452c86
- 222d68c03d96d230bc3829e86be8821f32960375b70388028a705a4986b8d9c6
- 1215584b4fa69130799f6cf5efe467f380dc68b14ed2c76f63ca6b461ad57246
- 03241adc63e5a204dcec26915f4df076a8121fa7827edfdc36b75e4803c2f019
- 45.131.179.24
- 103.85.25.166
- 27.102.113.240
- amelicen.com
Attack Patterns
- HemiGate
- SparrowDoor
- ShadowPad - S0596
- FamousSparrow
- T1608.002
- T1588.001
- T1608.001
- T1587.001
- T1583.004
- T1078.002
- T1505.003
- T1055.001
- T1543.003
- T1588.002
- T1588.005
- T1574.002
- T1059.003
- T1059.001
- T1547.001
- T1106
- T1047
- T1055
- T1584
- T1190
- T1068
Additional Informations
- Finance
- Government
- Honduras
- Mexico
- United States of America