{ "id": "6e6338bb-1b72-47cc-a392-4b2ff28871ab", "created_at": "2026-04-06T00:17:27.223258Z", "updated_at": "2026-04-10T13:11:57.330653Z", "deleted_at": null, "sha1_hash": "9a6706736182cf245fd77cc3bef5764d95db16a6", "title": "You will always remember this as the day you finally caught FamousSparrow", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 282807, "plain_text": "You will always remember this as the day you finally caught\r\nFamousSparrow\r\nBy Alexandre Côté Cyr\r\nArchived: 2026-04-05 20:37:39 UTC\r\nIn July 2024, ESET Research noticed suspicious activity on the system of a trade group in the United States that\r\noperates in the financial sector. While helping the affected entity remediate the compromise, we made an\r\nunexpected discovery in the victim’s network: malicious tools belonging to FamousSparrow, a China-aligned APT\r\ngroup. There had been no publicly documented FamousSparrow activity since 2022, so the group was thought to\r\nbe inactive. Not only was FamousSparrow still active during this period, it must have also been hard at work\r\ndeveloping its toolset, since the compromised network revealed not one, but two previously undocumented\r\nversions of SparrowDoor, FamousSparrow’s flagship backdoor.\r\nBoth of these versions of SparrowDoor constitute marked progress over earlier ones, especially in terms of code\r\nquality and architecture. One of them resembles the backdoor that researchers at Trend Micro called CrowDoor\r\nand attributed to the Earth Estries APT group in November 2024. The other is modular and significantly different\r\nfrom all previous versions. This campaign is also the first documented time FamousSparrow used ShadowPad, a\r\nprivately sold backdoor, known to only be supplied to China-aligned threat actors.\r\nWe further discovered that, as part of this campaign, the threat actor managed to breach a research institute in\r\nMexico just a couple of days prior to the compromise in the US.\r\nWhile setting up tracking based on what we discovered in these attacks, we uncovered additional activity by the\r\ngroup between 2022 and 2024, which we’re still investigating. Among others, it targeted a governmental\r\ninstitution in Honduras.\r\nThis blogpost provides an overview of the toolset used in the July 2024 campaign, focusing on the undocumented\r\nversions of the SparrowDoor backdoor that we discovered at the US victim.\r\nKey points of this blogpost:\r\nESET researchers discovered that FamousSparrow compromised a trade group for the financial\r\nsector in the United States and a research institute in Mexico.\r\nFamousSparrow deployed two previously undocumented versions of the SparrowDoor backdoor,\r\none of them modular.\r\nBoth versions constitute considerable progress over previous ones and implement parallelization\r\nof commands.\r\nThe APT group was also observed using the ShadowPad backdoor for the first time.\r\nWe discuss Microsoft Threat Intelligence’s attribution claims linking FamousSparrow to Salt\r\nTyphoon.\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 1 of 21\n\nFamousSparrow is a cyberespionage group with ties to China, active since at least 2019. We first publicly\r\ndocumented the group in a 2021 blogpost when we observed it exploiting the ProxyLogon vulnerability. The\r\ngroup was initially known for targeting hotels around the world, but has also targeted governments, international\r\norganizations, engineering companies, and law firms. FamousSparrow is the only known user of the SparrowDoor\r\nbackdoor.\r\nEven though FamousSparrow seemed inactive at the time of our discovery, we attribute this activity to the group\r\nwith high confidence. The deployed payloads are new versions of SparrowDoor, a backdoor that appears to be\r\nexclusive to this group. While these new versions exhibit significant upgrades in code quality and architecture,\r\nthey can still be traced back directly to earlier, publicly documented versions. The loaders used in these attacks\r\nalso present substantial code overlaps with samples previously attributed to FamousSparrow. Notably, they use the\r\nsame reflective loader shellcode as the libhost.dll loader sample described in a report from February 2022\r\npublished by the UK National Cyber Security Centre (NCSC). Its configuration also shares the same specific\r\nformat, except for the encryption key which is instead hardcoded in the loader and backdoor. XOR encryption has\r\nalso been replaced with RC4.\r\nAdditionally, C\u0026C server communications use a format very similar to that used in previous SparrowDoor\r\nversions.\r\nIn 2021, Kaspersky researchers wrote about a threat actor they track as GhostEmperor. Despite some\r\ninfrastructure overlap with FamousSparrow, we track them as separate groups. In August 2023, Trend Micro noted\r\nthat some FamousSparrow TTPs overlap with those of Earth Estries. We have also observed code overlaps\r\nbetween SparrowDoor and that group’s HemiGate. These are discussed in more detail in the Plugins section. We\r\nbelieve that the two groups overlap at least partially, but we do not have enough data to fully assess the nature and\r\nextent of the link between the two groups.\r\nFamousSparrow and Salt Typhoon\r\nBefore we dive into the analysis of FamousSparrow’s toolset, we want to discuss our position on the links between\r\nFamousSparrow and Salt Typhoon made by Microsoft Threat Intelligence.\r\nIn September 2024, the Wall Street Journal published an article (the article is behind a paywall) reporting that\r\ninternet service providers in the United States had been compromised by a threat actor named Salt Typhoon. The\r\narticle relays claims by Microsoft that this threat actor is the same as FamousSparrow and GhostEmperor. It is the\r\nfirst public report that conflates the latter two groups. However, as we already stated, we see GhostEmperor and\r\nFamousSparrow as two distinct groups. There are few overlaps between the two but many discrepancies. Both\r\nused 27.102.113[.]240 as a download server in 2021. Both groups were also early exploiters of the ProxyLogon\r\nvulnerability (CVE-2021-26855) and have used some of the same publicly available tools. However, besides these\r\npublicly available tools, each threat actor has its own custom toolset.\r\nSince that initial publication, researchers at Trend Micro have added Earth Estries to the list of groups that are\r\nlinked to Salt Typhoon. As of this writing, Microsoft, who created the Salt Typhoon cluster, has not published any\r\ntechnical indicators or details about TTPs used by the threat actor, nor provided an explanation for this attribution.\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 2 of 21\n\nTo avoid further muddying the waters, we will keep tracking the cluster of activity we see as directly linked to\r\nSparrowDoor as FamousSparrow until we have information necessary to reliably assess these attribution claims.\r\nBased on our data and analysis of the publicly available reports, FamousSparrow appears to be its own distinct\r\ncluster with loose links to the others mentioned in this section. We believe those links are better explained by\r\npositing the existence of a shared third party, such as a digital quartermaster, than by conflating all of these\r\ndisparate clusters of activity into one.\r\nTechnical Analysis\r\nIn order to gain initial access to the affected network, FamousSparrow deployed a webshell on an IIS server.\r\nWhile we were unable to determine the exact exploit used to deploy the webshells, both victims were running\r\noutdated versions of Windows Server and Microsoft Exchange, for which there are several publicly available\r\nexploits.\r\nAs for the toolset used in the campaign, the threat actor employed a mix of custom tools and malware along with\r\nthose shared by China-aligned APT groups, as well as from publicly available sources. The final payloads were\r\nSparrowDoor and ShadowPad. Figure 1 provides an overview of the compromise chain deployed in the attacks.\r\nFigure 1. Overview of the compromise chain used in this FamousSparrow campaign\r\nThe threat actor initially downloaded a batch script over HTTP from a download server, 43.254.216[.]195. This\r\nscript contains a base64-encoded .NET webshell that it writes to C:\\users\\public\\s.txt. It then decodes it using\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 3 of 21\n\ncertutil.exe and saves the decoded output to C:\\users\\public\\s.ashx. An ASHX module is a type of HTTP handler\r\nfor ASP.NET. Although similar to ASPX modules, ASHX modules do not include any user interface components.\r\nThe script then walks through drives C: to I:, and P:, to find the installation directory of DotNetNuke; it then\r\ncopies the ASHX webshell to \u003cDotNetNuke_directory\u003e\\DesktopModules\\DotNetNuke.ashx.\r\nThe webshell itself is fairly generic and doesn’t use anything specific to DotNetNuke. All the data it receives, and\r\nreturns, is AES encrypted with the hardcoded key e2c99096bcecd1b5. On first request, it expects a .NET PE file.\r\nThis executable file is loaded into memory and saved in a session variable. On subsequent requests, an instance of\r\nthe LY class contained within that .NET assembly is created and the data received is passed to its Equals method.\r\nWe did not collect any payload sent to this webshell, but it’s obvious that the Equals method does not follow the\r\ntypical contract.\r\nIn the cases we observed, this was used to spawn an interactive remote PowerShell session. Once this session was\r\nestablished, attackers used legitimate Windows tools to obtain information about the host and the Active Directory\r\ndomains to which it was joined. They then downloaded PowerHub, an open-source post-exploitation framework,\r\nfrom an attacker-controlled server and used the BadPotato privilege-escalation technique to gain SYSTEM\r\nprivileges. This exploit is not present in the framework, but it appears that the group added the open-source\r\nInvoke-BadPotato module to its deployment of PowerHub. Finally, the attacker used PowerShell’s built-in Invoke-WebRequest to download three files from the same server that comprise SparrowDoor’s trident loader.\r\nIn a process very similar to the one described in 2022 by the UK NCSC, the aforementioned files use a trident\r\nloading scheme to execute SparrowDoor. In this instance, the executable used for DLL side-loading is a legitimate\r\nversion of K7AntiVirus Messenger Scanner named K7AVMScn.exe, while the malicious DLL and encrypted\r\npayload files are named K7AVWScn.dll and K7AVWScn.doc, respectively. The payload file is encrypted using an\r\nRC4 key that is hardcoded in both the loader and the resulting decrypted payload, but which varies across\r\nsamples.\r\nThe decrypted payload consists of a custom configuration and reflective loader shellcode almost identical to that\r\ndescribed by the UK NCSC, with the only difference being that the first field, which contained the four-byte XOR\r\nkey, has been removed. The last 202 bytes of the file are encrypted separately, but using the same RC4 key, and\r\ncontain the C\u0026C server configuration.\r\nSparrowDoor\r\nAs stated, we observed two new versions of SparrowDoor used in these attacks. The first one is very similar to\r\nwhat was called CrowDoor by researchers at Trend Micro, in an article published in November 2024 about Earth\r\nEstries. This malware was first documented by researchers at ITOCHU and Macnica in a presentation at\r\nVirusBulletin in 2023. From our perspective, these are part of the continued development effort on SparrowDoor\r\nrather than a different family. We can follow the evolution from the first version we described in 2021, through the\r\nones referred to as CrowDoor, to the modular version we analyze in the later part of this blogpost.\r\nBoth versions of SparrowDoor used in this campaign constitute onsiderable advances in code quality and\r\narchitecture compared to older ones. The most significant change is the parallelization of time-consuming\r\ncommands, such as file I/O and the interactive shell. This allows the backdoor to continue handling new\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 4 of 21\n\ncommands while those tasks are performed. We will explain the procedure later in the blogpost when we discuss\r\nthe commands in detail.\r\nJust like in previous versions, the behavior of the backdoor varies depending on the command line argument\r\npassed to it. These are listed in Table 1.\r\nTable 1. Command line arguments for SparrowDoor\r\nArgument Behavior\r\nNo argument Establish persistence.\r\n11 Process hollowing of colorcpl.exe.\r\n22 Main backdoor operation.\r\nWhen executed without any arguments, the malware establishes persistence. It first tries to do so by creating a\r\nservice named K7Soft that is set to run automatically on startup. If this fails, a registry Run key with the same\r\nname is used instead. In both cases, the persistence mechanism is set to execute the backdoor with a command line\r\nargument of 11. It is also launched immediately with that same argument using the StartServiceA or\r\nShellExecuteA API.\r\nWhen executed with the argument 11, the backdoor launches the Windows color management tool (colorcpl.exe)\r\nwith a command line argument of 22 and injects its loader into the newly created process.\r\nIt is only when the command line argument is set to 22 that the backdoor actually executes its main payload.\r\nAfter SparrowDoor is executed in this backdoor mode, it terminates, in a roundabout way, any other already\r\nrunning instances. The backdoor uses the K32EnumProcesses API to iterate through the process IDs (PIDs) of all\r\nrunning processes and tries to create a mutex named Global\\ID(\u003cPID\u003e). PIDs of 15 or less are skipped, likely as a\r\nway to exclude killing some essential system processes. If the mutex already exists, the process is terminated.\r\nOtherwise, the mutex is closed immediately. When SparrowDoor is done iterating through the PIDs, it creates a\r\nnew mutex using the same name format and its own PID.\r\nThe backdoor then reads the last 202 bytes from the encrypted payload file and decrypts them using the same RC4\r\nkey used by the loader. The resulting plaintext is the C\u0026C server configuration, which consists of three pairs of\r\naddresses and ports, followed by four numeric values that, respectively, represent the number of days, hours,\r\nminutes, and seconds the backdoor should wait after all configured C\u0026C servers have been tried. This is related to\r\nthe functionality we describe later while talking about the command the backdoor uses for changing the C\u0026C\r\nconfiguration.\r\nAfter loading this configuration, the backdoor will try to connect to the first server. If it is unable to connect or if\r\nthe C\u0026C server issues a command that causes execution to exit the main command loop, SparrowDoor will try to\r\nconnect to the next server, and so on. Once the last server in the configuration has been tried, the backdoor will\r\nsleep for the defined time (six minutes in the sample we analyzed), reload the configuration, and then repeat the\r\nprocess. Note that, during this time, SparrowDoor does not respond to commands. However, the parallelized\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 5 of 21\n\ncommands that were already running will keep doing so until they complete, encounter an error, or are terminated\r\nby the server.\r\nThe backdoor uses two classes to manage its connections: the abstract CBaseSocket and its child class\r\nCTcpSocket. These are essentially wrappers around Winsock TCP sockets. While the class names are generic and\r\nfollow the same naming convention used in the Microsoft Foundation Class Library (MFC), the code they contain\r\nappears to be custom.\r\nSparrowDoor uses an integer value as a victim or session identifier. This is sent to the C\u0026C server when it\r\nrequests information about the host and whenever a new socket is created. The value is read from the\r\nHKLM\\Software\\CLASSES\\CLSID\\ID registry key, falling back to the same path in the HKCU hive if there’s an\r\nissue. If it is not present, the identifier is derived from the machine’s performance counter and written to the\r\naforementioned registry key. Although the value itself is benign, the use of this nonstandard registry key presents a\r\ndetection opportunity. Indeed, the name of any registry key under Software\\Classes\\CLSID\\ should be a valid\r\nCLSID, which are represented as a GUID surrounded by curly brackets. While it is not necessarily an indicator of\r\nmaliciousness, the presence of keys with nonstandard names under CLSID is unusual.\r\nCommands\r\nThe first version of SparrowDoor used in this campaign supports more commands, described in Table 2, than\r\npreviously documented versions. While the command IDs are different from those used in the version analyzed by\r\nTrend Micro, the order and offset between IDs are the same. We have not had access to that sample, so we cannot\r\ntell whether the additional commands were absent or simply not publicly documented by the authors.\r\nAs previously mentioned, some of the commands have been parallelized. When the backdoor receives one of these\r\ncommands, it creates a thread that initiates a new connection to the C\u0026C server. The unique victim ID is then sent\r\nover the new connection along with a command ID indicating the command that led to this new connection. This\r\nallows the C\u0026C server to keep track of which connections are related to the same victim and what their purposes\r\nare. Each of these threads can then handle a specific set of subcommands. To limit its complexity, Table 2 does not\r\ninclude these subcommands; we will go over them separately.\r\nTable 2. Main commands implemented by SparrowDoor\r\nCommand ID Description Received data Sent data\r\n0x32341122 Initial connection. No message Empty\r\n0x32341123 Send host information. Empty\r\n· IP address,\r\n· unique ID,\r\n· OS build number,\r\n· OS major version number,\r\n· OS minor version number,\r\n· computer name, and\r\n· username.\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 6 of 21\n\nCommand ID Description Received data Sent data\r\n0x32341124\r\nStart interactive shell session\r\n(parallel).\r\nEmpty See the Interactive shell subsection.\r\n0x32341127\r\nSleep, then move to the next\r\nserver in the configuration.\r\nMinutes to sleep. No response\r\n0x32341128\r\nUninstall backdoor and clean\r\nup.\r\nEmpty No response\r\n0x32341129\r\nGet current network\r\nconfiguration.\r\nEmpty Network configuration structure.\r\n0x3234112A Set network configuration.\r\nNetwork\r\nconfiguration\r\nstructure.\r\nNo response\r\n0x3234112B\r\nExecute loader with the\r\ncommand line argument 11\r\nand terminate the current\r\nprocess.\r\nEmpty No response\r\n0x3234112D File I/O (parallel). Operation ID. See the File operations section.\r\n0x32341131\r\nGet information about\r\nconnected drives.\r\nEmpty\r\nArray of 26 bytes representing the\r\ndrive type of all drives from A: to Z:\r\nas returned by GetDriveTypeW.\r\n0x32341132 List files. Directory path.\r\nFile information, one response per\r\nfile. See the File listing section.\r\n0x32341135 Create directory. Directory path. No response\r\n0x32341136 Move or rename file.\r\n· Source path\r\nlength,\r\n· source path,\r\n· destination path\r\nlength, and\r\n· destination\r\npath.\r\nNo response\r\n0x32341137 Delete file. File path. No response\r\n0x32341138 Start proxy. Empty See the Proxy subsection.\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 7 of 21\n\nAll communication between the malware and its C\u0026C server uses the same base packet format, defined in Figure\r\n2. The format of the data section depends on the command sent, and can be empty. In most cases, responses use\r\nthe ID of the command to which the backdoor is responding. There are, however, some exceptions; we will\r\ndescribe these when talking about the relevant commands in detail.\r\nFigure 2. Base packet format used for network communication\r\nInteractive shell\r\nUpon receiving the interactive shell command, SparrowDoor spawns a new thread and socket as previously\r\ndescribed, and performs all the following actions within this thread using the new socket. First, the backdoor\r\nsends back an acknowledgment message with command ID 0x32341125 and the unique victim ID in the data\r\nfield. It then spawns a cmd.exe process and uses a pair of threads and named pipes to relay commands and their\r\noutput between the C\u0026C server and the shell. The named pipe \\\\.\\pipe\\id2\u003caddress\u003e is used to pass commands\r\nreceived from the C\u0026C server to the shell and \\\\.\\pipe\\id1\u003caddress\u003e is used for the resulting output on STDOUT\r\nand STDERR. In both instances, \u003caddress\u003e is the memory address, in decimal form, of the CTcpSocket instance.\r\nThese commands use the ID 0x32341126 and the data is, respectively, the command line to be executed and the\r\nraw output. If the backdoor receives a message with the command ID set to any other value, the interactive shell\r\nsession is terminated.\r\nChanging the C\u0026C configuration\r\nThe C\u0026C configuration is kept in the encrypted payload file. If the backdoor receives the command to change this\r\nconfiguration (0x3234112A), the received structure is RC4 encrypted and then the last 202 bytes of the encrypted\r\nfile are overwritten with the result. Interestingly, the configuration is not automatically reloaded. As we explained\r\npreviously, the configuration is only reloaded when all three configured servers have been tried. To forcibly reload\r\nthe configuration, the server can issue the 0x32341127 command or an invalid command, both of which will cause\r\nSparrowDoor to exit the command loop and move to the next server. The configuration is also reloaded if the\r\nbackdoor is relaunched, such as by using the 0x3234112B command.\r\nFile operations\r\nAs with other commands processed in parallel, everything here is performed in a new thread using a new socket.\r\nSparrowDoor sends an acknowledgment message with the same ID as the original command. The body of this\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 8 of 21\n\nmessage contains the unique ID of the victim and the operation ID sent by the C\u0026C server. This operation ID does\r\nnot appear to have any meaning, and is probably only used by the server to link the connection to the file\r\noperation command if multiple such commands are performed in parallel. Command IDs 0x3234112E and\r\n0x3234112F are used, respectively, for file reads and writes.\r\nFor a file read, the message body contains the starting offset, the size to be read, and the path to the file. If the\r\nrequested read goes past the end of the file, it causes an error and no response is sent. Otherwise, the malware\r\nreads the file in chunks of 4 kB, each of which is sent in the body of a message with the command ID\r\n0x32341130.\r\nThe process is similar for a file write. The initial message from the C\u0026C contains the total size of the data to be\r\nwritten followed by the target file path. Interestingly, the write is only performed if this size is greater than the\r\ncurrent size of the target file. The data is then sent by the C\u0026C server in chunks of 4 kB, using the same command\r\nID of 0x32341130.\r\nFile listing\r\nWhen the file listing command is received, the backdoor first sends back an acknowledgment message with the\r\ncommand ID 0x32341133. It then uses the FindFirstFileW and FindNextFileW API functions to iterate, non-recursively, through files in the target directory. For each file, SparrowDoor sends one message, with the same\r\ncommand ID as the list file command (0x32341132) and the information described in Figure 3. Note that, even\r\nthough the length of the filename isn’t specified directly, it can be obtained by subtracting the size of the rest of\r\nthe fields (0x16) from the data_length value in the header.\r\nFigure 3. Format of the information sent for each listed file\r\nOnce the iteration is done, a message with command ID 0x32341134 and no data is sent to indicate that the file\r\nlisting operation has completed successfully.\r\nProxy\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 9 of 21\n\nThis functionality allows the backdoor to act as a TCP proxy between the C\u0026C server and an arbitrary machine.\r\nAs with other commands processed in parallel, the following is done in a new thread using its own socket.\r\nSparrowDoor sends an acknowledgment message with the same ID as the original command; the body of this\r\nmessage contains the unique ID of the victim. Command ID 0x32341139 is then sent by the server to actually\r\ninitiate the proxy. The proxy functionality is achieved by creating two new sockets, one connected to the C\u0026C\r\nserver and another connected to an address and port provided by the server on that new connection. SparrowDoor\r\nthen uses a pair of Winsock structures and events to keep track of incoming packets and relay them between the\r\ntwo parties. The addition of proxy functionality to SparrowDoor may be a hint that the group is following the\r\ntrend of China-aligned threat actors building and using operational relay box (ORB) networks.\r\nModular SparrowDoor\r\nThe modular version of SparrowDoor is significantly different from the previous ones. On the network\r\ncommunication side, the command header is sent separately from the body and that data is RC4 encrypted with\r\nthe hardcoded key iotrh^%4CFGTj. The custom classes used for network communication in this version still use\r\nWinsock TCP sockets and are very similar to those we mentioned previously – the most notable difference being\r\nthat the child class is deceptively named CShttps instead of CTcpSocket. As seen in Table 3, of the commands\r\npresent in previous versions of SparrowDoor, this one only implements the commands that relate to managing the\r\nC\u0026C configuration and uninstalling the backdoor. Information about the host machine is sent automatically after\r\nthe initial connection message and includes a list of installed security products in addition to what was sent in\r\nprevious versions.\r\nAll of the other commands are related to the handling of plugins. We believe that the removed functionality has\r\nsimply been moved to one or more modules. While we have yet to observe any such plugin, we can share insights\r\nbased on our analysis of the code that implements this functionality.\r\nTable 3. Commands implemented in the modular version of SparrowDoor\r\nCommand ID Response ID Description\r\nN/A 0x136433 Initial connection.\r\nN/A 0x0A4211 Send host information.\r\n0x3A72 0x0A4214 Get current network configuration.\r\n0x3A73 No response Set network configuration.\r\n0x3A75 0x136434\r\nInitiate plugin command loop. See the Plugins subsection.\r\n0x3A76 0x136435 / 0x0A4217\r\n0x3A77 0x136435 / 0x0A421F\r\n0x3A78 0x136435 / 0x0A4221\r\n0x3A7B 0x136435 / 0x0A4228\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 10 of 21\n\nCommand ID Response ID Description\r\n0x3A7A No response Uninstall backdoor and clean up.\r\nPlugins\r\nInstalled plugins are referenced via a standard C++ list; each entry consists of a bitmask and a handler function\r\naddress. The bitmask is used to determine which command IDs are handled by the plugin and corresponds to the\r\nlow nibble of the third byte of the command ID (i.e., CommandID \u0026 0xF0000).\r\nThis version of SparrowDoor can use five different command IDs to invoke plugin commands. Of those, three\r\n(0x3A76, 0x3A77, and 0x3A7B) follow almost exactly the same path in the code – the only difference being the\r\nresponse ID of the acknowledgment message. There are some very minor differences in the handshake process\r\nbetween this set of commands and the other two. However, in all cases, the command is parallelized using the\r\nsame method we described in the Commands section. On the new socket, the backdoor sends the corresponding\r\nresponse ID, the unique host ID, and the data it initially received from the C\u0026C server. This data appears to\r\nfunction like the operation ID mentioned in the File operations section. After this handshake is completed, all five\r\ncommands call the same function to actually handle the plugin command. This function receives the command ID\r\nand data from the C\u0026C server, then iterates through installed plugins to dispatch the command to the correct\r\nhandler. The process is repeated until the backdoor receives an incorrectly formatted command message.\r\nBy default, only one plugin, with a bitmask of 0x10000, is installed. This plugin handles the installation of new\r\nplugins sent by the C\u0026C server. Plugins are sent by the server as PE files and are never stored on disk. Coupled\r\nwith the reduced function set present in the base backdoor, this is probably meant to evade detection. After such a\r\nplugin is received, it is manually mapped in memory and its fmain export is called. This function returns a pointer\r\nto a structure containing the address of a function that returns the bitmask for the plugin and the address of the\r\nhandler function. If no installed plugin has the same bitmask, the newly received plugin is added to the list.\r\nLinks to previous versions\r\nWe have also identified older samples that present significant code overlaps with this modular version, including\r\nsimilar code to handle plugins. These samples correspond to the backdoor that Trend Micro named HemiGate in\r\nan August 2023 article. Some of the samples even use the same RC4 key mentioned in that article. Rather than\r\nbeing sent by the C\u0026C, plugins are implemented as C++ classes inheriting from an abstract class named\r\nPluginInterface. These plugins follow the same pattern described in the previous paragraph: they have a method\r\nthat returns a bitmask, used to dispatch commands, and a second method to handle commands. We believe that\r\nHemiGate represents an earlier step in the evolution of the modular backdoor. Thus, it is likely that the plugins\r\ncontained therein are representative of those used in the more recent modular version. Table 4 presents an\r\noverview of the plugins and their functionality.\r\nTable 4. Summary of plugins contained in HemiGate\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 11 of 21\n\nBitmask Class name Description\r\n0x20000 Cmd Run a single command.\r\n0x30000 CFile File system operations.\r\n0x40000 CKeylogPlug Keylogger functionality.\r\n0x50000 CSocket5\r\nTCP proxy. This is very similar to the functionality described earlier in the\r\nProxy section.\r\n0x60000 CShell Interactive shell.\r\n0x70000 CTransf File transfer between the client and C\u0026C server.\r\n0x80000 CRdp Take screenshots.\r\n0xA0000 CPro\r\n· List running processes.\r\n· Kill a process.\r\n0xC0000 CFileMoniter Monitor file system changes for specified directories.\r\nThese similarities are evidence that the cluster we track as FamousSparrow at least partially overlaps with Earth\r\nEstries. Since HemiGate pre-dates both versions of SparrowDoor detailed earlier in this report, it may also be an\r\nindication that the modular and the parallelized versions of SparrowDoor are being developed in parallel.\r\nShadowPad\r\nAfter SparrowDoor was detected in the US victim’s network, it was used to execute an MFC-based loader bearing\r\nsimilarities to the ShadowPad loaders previously documented by Cisco Talos.\r\nThis ShadowPad loader is a DLL named imjpp14.dll, meant to be loaded via DLL side-loading by the more-than-14-year-old, legitimate, outdated version of the Microsoft Office IME executable, imecmnt.exe, renamed to\r\nimjp14k.exe. The loader first checks whether its current process is the expected side-loading host by performing\r\npattern matching at offset 0xE367 in-memory. Once this validation succeeds, the malicious DLL decrypts the file\r\nnamed imjp14k.dll.dat that is located in the same directory as the DLL and its side-loading host. Finally, the\r\ndecrypted payload is injected into a wmplayer.exe process (Windows Media Player).\r\nEven though we did not retrieve the encrypted payload, an in-memory ShadowPad detection occurred in a\r\nwmplayer.exe process, with impjp14k.exe as its parent process. Furthermore, it connected to a ShadowPad C\u0026C\r\nserver (IP: 216.238.106[.]150). While we didn’t observe any ShadowPad sample using it, one of the SparrowDoor\r\nC\u0026C servers had a TLS certificate matching a known ShadowPad fingerprint.\r\nAdditionally, we detected ShadowPad loaders and the ShadowPad backdoor in memory on several machines in the\r\nvictim’s network.\r\nNote that this is the first time we have observed FamousSparrow making use of the ShadowPad backdoor.\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 12 of 21\n\nOther tools\r\nDuring the compromise, in addition to the various malware mentioned above, we also observed the following\r\nbeing used by the threat actor:\r\nA basic batch script that dumps the registry with the following commands:\r\nreg save HKLM\\SYSTEM C:\\users\\public\\sys.hiv,\r\nreg save HKLM\\SAM C:\\users\\public\\sam.hiv, and\r\nreg save hklm\\security C:\\users\\public\\security.hiv.\r\nImpacket or NetExec, detected by our firewall, but we have not collected any of the commands.\r\nA loader for a version of the open-source Spark RAT that was modified to include code from an open-source Go shellcode loader.\r\nWe also noticed the use of a tool to dump LSASS memory with the undocumented MiniDumpW API function.\r\nThis tool is split into two DLLs stored on disk as %HOME%\\dph.dll and %WINDIR%\\SysWOW64\\msvc.dll. The\r\nlatter is probably meant to blend in with the legitimate libraries for Microsoft Visual C++ (MSVC) that are stored\r\nin the same directory. The former is loaded via a legitimate version of VLC’s Cache Generator (vlc-gen-cache.exe), renamed to dph.exe, and imports functions from the latter. Since VLC plugins can be native DLLs, its\r\ncache generator naturally contains code to load and execute such libraries.\r\nNetwork infrastructure\r\nThe ShadowPad C\u0026C server uses a self-signed TLS certificate, with a SHA-1 fingerprint of\r\nBAED2895C80EB6E827A6D47C3DD7B8EFB61ED70B, that attempts to spoof those used by Dell. This follows\r\nthe format that was described by Hunt Intelligence in an article from February 2024. While this pattern can be\r\nused to track ShadowPad servers, it is not linked to any specific threat actor. One of the C\u0026C servers used by\r\nSparrowDoor (45.131.179[.]24:80) had a TLS certificate, on port 443, with the same Common Name (CN) as the\r\ncertificate used by the aforementioned ShadowPad C\u0026C server. This server is also the only one that was present\r\nin both versions of SparrowDoor.\r\nWe observed three unique SparrowDoor C\u0026C servers in this campaign, all of which used port 80. The modular\r\nsample was configured with amelicen[.]com as its third C\u0026C server. When the sample was first detected, this\r\ndomain pointed to the IP address mentioned in the previous paragraph. One of the C\u0026C servers configured in the\r\nmodular sample (43.254.216[.]195:80) was also used by the SparrowDoor loader. This is strange, since\r\nSparrowDoor uses plain TCP and the files were downloaded over HTTP. However, there is a gap of almost two\r\nweeks between the downloads, on June 30, 2024, and the compilation of the modular SparrowDoor, on July 12,\r\n2024. We do not know whether the service listening on that port was changed between those two occurrences or\r\nwhether the SparrowDoor C\u0026C server includes functionality to serve files over HTTP.\r\nConclusion\r\nDue to the lack of activity and public reporting between 2022 and 2024, FamousSparrow was presumed to be\r\ninactive. However, our analysis of the US network compromised in July 2024 revealed two new versions of\r\nSparrowDoor, showing that FamousSparrow is still developing its flagship backdoor. One of these new versions\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 13 of 21\n\nwas also found on a machine in Mexico. As we were setting up tracking based on what is covered in this blogpost,\r\nwe uncovered additional activity by the group during this period, including the targeting of a governmental\r\ninstitution in Honduras. This newly found activity indicates that not only is the group still operating, but it was\r\nalso actively developing new versions of SparrowDoor during this time.\r\nWe will continue to monitor and report on activity by FamousSparrow, and will also continue to follow the\r\ndiscussion surrounding potential links between FamousSparrow and Salt Typhoon.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nFiles\r\nSHA-1 Filename Detection Description\r\nC26F04790C6FB7950D89\r\nAB1B08207ACE01EFB536\r\nDotNetNuke.ashx ASP/Webshell.SE ASHX webshell.\r\nF35CE62ABEEDFB8C6A38\r\nCEAC50A250F48C41E65E\r\nDrmUpdate.exe N/A\r\nLegitimate Microsoft\r\nOffice IME 2010 used for\r\nDLL side-loading.\r\n5265E8EDC9B5F7DD00FC\r\n772522511B8F3BE217E3\r\nimjp14k.dll Win32/Agent.AGOZ ShadowPad loader.\r\nA91B42E5062FEF608F28\r\n5002DEBAFF9358162B25\r\ndph.exe N/A\r\nLegitimate VLC cache\r\ngenerator.\r\n0DC20B2F11118D5C0CC4\r\n6B082D7F5DC060276157\r\nvlc.exe N/A\r\nLegitimate VLC media\r\nplayer used for DLL side-loading.\r\nEF189737FB7D61B110B9\r\n293E8838526DCE920127\r\nlibvlc.dll Win64/Agent.FAY SparrowDoor loader.\r\nD03FD329627A58B40E80\r\n5F4F55B5D821063AC27F\r\nnotify.exe N/A\r\nLegitimate Yandex\r\napplication used for DLL\r\nside-loading.\r\n3A395DAAF518BE113FCF\r\nF2E5E48ACD9B9C0DE69D\r\nWINMM.dll\r\nWin32/Shellcode\r\nRunner.LK\r\nLoader for modular\r\nSparrowDoor.\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 14 of 21\n\nSHA-1 Filename Detection Description\r\n0925F24082971F50EDD9\r\n87D82F708845A6A9D7C9\r\nWindowsUpdate.exe N/A\r\nLegitimate Fortemedia\r\nAudio Processing used\r\nfor DLL side-loading.\r\n5F1553F3AF9425EF5D68\r\n341E991B6C5EC96A82EB\r\nFmApp.dll Win64/Agent.EEA ShadowPad loader.\r\nCC350BA25947B7F9EC5D\r\n11EA8269407C0FD74095\r\nFmApp.dll Win64/Agent.EDQ ShadowPad loader.\r\nDB1591C6E23160A94F63\r\n12CA46DA2D0BB243322C\r\nK7AVWScn.exe N/A\r\nLegitimate K7AntiVirus\r\nMessenger Scanner Stub\r\nused for DLL side-loading.\r\n1B06E877C2C12D74336E\r\n7532BC0ECF761E5FA5D4\r\nK7AVWScn.dll Win32/Agent.AGOJ SparrowDoor loader.\r\nEBC93A546BCDF6CC1EB6\r\n1D7174BCB85407BBD892\r\nstart.bat BAT/Agent.DP\r\nBatch script to deploy the\r\nASHX webshell.\r\nD6D32A1F17D48FE695C0\r\n778018C0D51626DB4A3B\r\ndph.dll\r\nWin64/Riskware.\r\nLsassDumper.EN\r\nProgram to dump LSASS\r\nmemory.\r\n7D66B550EA68A86FCC09\r\n58E7C159531D4431B788\r\nNtmssvc.dll\r\nWinGo/Shellcode\r\nRunner.EC\r\nModified Spark RAT.\r\nD78F353A70ADF68371BC\r\n10CF869B761BD51484B0\r\nN/A (in-memory) Win32/Agent.VQI\r\nDecrypted SparrowDoor\r\npayload.\r\n99BED842B5E222411D19\r\nF0C5B54478E8CC7AE68F\r\nN/A (in-memory) Win32/Agent.VQI\r\nDecrypted modular\r\nSparrowDoor payload.\r\n5DF3C882DB6BE1488718\r\n2B7439B72A86BD28B83F\r\ntaskhosk.exe Win32/Agent.AHCV\r\nSparrowDoor/HemiGate\r\nwith built-in plugins.\r\nAA823148EEA6F43D8EB9\r\nBF20412402A7739D91C2\r\ntaskhosk.exe Win32/Agent.AHCV\r\nSparrowDoor/HemiGate\r\nwith built-in plugins.\r\nNetwork\r\nIP Domain Hosting provider First seen Details\r\n43.254.216[.]195 N/A\r\nHongkong Wen Jing\r\nNetwork Limited\r\n2024‑06‑27\r\nFamousSparrow C\u0026C and\r\ndownload server.\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 15 of 21\n\nIP Domain Hosting provider First seen Details\r\n45.131.179[.]24\r\namelicen\r\n[.]com\r\nXNNET LLC 2024‑07‑05 SparrowDoor C\u0026C server.\r\n103.85.25[.]166 N/A\r\nStarry Network\r\nLimited\r\n2024‑06‑06 SparrowDoor C\u0026C server.\r\n216.238.106[.]150 N/A Vultr Holdings, LLC 2024‑03‑11 ShadowPad C\u0026C server.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 16 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1588.001 Obtain Capabilities: Malware\r\nFamousSparrow acquired and used\r\nShadowPad.\r\nT1588.002 Obtain Capabilities: Tool\r\nFamousSparrow acquired the open-source PowerHub post-exploitation\r\nframework.\r\nT1588.005 Obtain Capabilities: Exploits\r\nFamousSparrow added the BadPotato\r\nexploit to its deployment of PowerHub.\r\nT1583.004 Acquire Infrastructure: Server\r\nFamousSparrow acquired a server to\r\nhost malware and tools.\r\nT1584 Compromise Infrastructure\r\nServers compromised with SparrowDoor\r\ncan be forced to function as proxies.\r\nT1608.001\r\nStage Capabilities: Upload\r\nMalware\r\nFamousSparrow hosted SparrowDoor on\r\nits own server.\r\nT1608.002\r\nStage Capabilities: Upload\r\nTool\r\nFamousSparrow uploaded PowerHub to\r\na server it controls.\r\nT1587.001 Develop Capabilities: Malware\r\nFamousSparrow developed new versions\r\nof SparrowDoor.\r\nInitial Access\r\nT1190\r\nExploit Public-Facing\r\nApplication\r\nFamousSparrow likely exploited a\r\nvulnerability in an outdated Exchange\r\nserver to gain initial access.\r\nT1078.002 Valid Accounts: Domain\r\nAccounts\r\nFamousSparrow used valid credentials\r\nfor a domain account to pivot to other\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 16 of 21\n\nTactic ID Name Description\r\nmachines in compromised networks.\r\nExecution\r\nT1059.001\r\nCommand-Line Interface:\r\nPowerShell\r\nFamousSparrow used an interactive\r\nPowerShell session to perform\r\nreconnaissance and deploy\r\nSparrowDoor.\r\nT1059.003\r\nCommand-Line Interface:\r\nWindows Command Shell\r\nSparrowDoor can launch cmd.exe to\r\ncreate a remote shell session.\r\nT1106 Native API\r\nSparrowDoor uses the CreateProcess\r\nAPI to launch an interactive shell.\r\nT1047\r\nWindows Management\r\nInstrumentation\r\nFamousSparrow used wmic.exe to run\r\nreconnaissance commands.\r\nPersistence\r\nT1547.001\r\nBoot or Logon Autostart\r\nExecution: Registry Run Keys\r\n/ Startup Folder\r\nSparrowDoor can create a Run key to\r\npersist on a compromised system.\r\nT1543.003\r\nCreate or Modify System\r\nProcess: Windows Service\r\nSparrowDoor can create a service to\r\npersist on a compromised system.\r\nT1505.003\r\nServer Software Component:\r\nWeb Shell\r\nFamousSparrow deployed webshells to\r\ncompromised servers.\r\nPrivilege\r\nEscalation\r\nT1068\r\nExploitation for Privilege\r\nEscalation\r\nFamousSparrow used the BadPotato\r\nexploit to gain SYSTEM privileges.\r\nDefense\r\nEvasion\r\nT1055 Process Injection\r\nSparrowDoor injects its loader into a\r\nWindows color management process.\r\nT1055.001\r\nProcess Injection: Dynamic-link Library Injection\r\nThe ShadowPad loader injects its\r\npayload into a newly created Windows\r\nMedia Player process.\r\nT1574.002\r\nHijack Execution Flow: DLL\r\nSide-Loading\r\nThe SparrowDoor loader is executed by\r\nside-loading from a legitimate K7\r\nAntivirus executable.\r\nT1140\r\nDeobfuscate/Decode Files or\r\nInformation\r\nSparrowDoor’s encrypted C\u0026C server\r\nconfiguration is decrypted at runtime.\r\nT1564.001\r\nHide Artifacts: Hidden Files\r\nand Directories\r\nFamousSparrow has used attrib.exe to\r\nset the hidden and system file attributes\r\non the SparrowDoor loader.\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 17 of 21\n\nTactic ID Name Description\r\nT1564.003\r\nHide Artifacts: Hidden\r\nWindow\r\nSparrowDoor launches the process into\r\nwhich it injects the loader, with its\r\nwindow hidden.\r\nT1070.004\r\nIndicator Removal: File\r\nDeletion\r\nSparrowDoor can uninstall itself, which\r\nincludes deleting the associated files.\r\nT1070.009\r\nIndicator Removal: Clear\r\nPersistence\r\nSparrowDoor can uninstall itself, which\r\nremoves any persistence.\r\nT1027.009\r\nObfuscated Files or\r\nInformation: Embedded\r\nPayloads\r\nFamousSparrow used a batch script that\r\ndeploys an embedded ASPX webshell.\r\nT1027.010\r\nObfuscated Files or\r\nInformation: Command\r\nObfuscation\r\nPowerHub obfuscates parts of its\r\ncommands by encrypting them with\r\nRC4.\r\nT1027.013\r\nObfuscated Files or\r\nInformation:\r\nEncrypted/Encoded File\r\nThe file containing the SparrowDoor\r\npayload is RC4 encrypted.\r\nT1036.004\r\nMasquerading: Masquerade\r\nTask or Service\r\nThe description and name of the service\r\nused by SparrowDoor to persist match\r\nthose of the legitimate K7 program it is\r\nimpersonating.\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Name or Location\r\nThe SparrowDoor loader masquerades\r\nas a DLL loaded by the legitimate\r\nK7AVWScn.exe.\r\nT1036.008\r\nMasquerading: Masquerade\r\nFile Type\r\nThe encrypted payload file containing\r\nSparrowDoor has a .doc extension.\r\nT1620 Reflective Code Loading\r\nThe modular version of SparrowDoor\r\ncan load additional PE files into its own\r\nmemory space.\r\nCredential\r\nAccess\r\nT1003.001\r\nOS Credential Dumping:\r\nLSASS Memory\r\nFamousSparrow used a utility to dump\r\nLSASS memory.\r\nDiscovery\r\nT1482 Domain Trust Discovery\r\nFamousSparrow used nltest.exe to list\r\ndomain controllers and trusted domains.\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 18 of 21\n\nTactic ID Name Description\r\nT1087.001\r\nAccount Discovery: Local\r\nAccount\r\nFamousSparrow used net.exe to obtain\r\ninformation on local accounts.\r\nT1087.002\r\nAccount Discovery: Domain\r\nAccount\r\nFamousSparrow used net.exe to obtain\r\ninformation on domain accounts.\r\nT1049\r\nSystem Network Connections\r\nDiscovery\r\nFamousSparrow used netstat.exe to list\r\nactive TCP connections.\r\nT1083 File and Directory Discovery SparrowDoor can list directories.\r\nT1057 Process Discovery\r\nFamousSparrow used tasklist.exe to list\r\nrunning processes and services, and to\r\nfind the LSASS process.\r\nT1012 Query Registry\r\nFamousSparrow used a script to dump\r\nthe SAM, SYSTEM, and SECURITY\r\nregistry hives.\r\nT1082 System Information Discovery\r\nFamousSparrow used wmic.exe to\r\nobtain information about mapped drives.\r\nIt also used ipconfig.exe to list network\r\nadapters.\r\nT1033 System Owner/User Discovery\r\nFamousSparrow used whoami.exe to\r\nobtain information about the active user\r\nand their privileges.\r\nT1518.001\r\nSoftware Discovery: Security\r\nSoftware Discovery\r\nThe modular version of SparrowDoor\r\nlists installed security software.\r\nLateral\r\nMovement\r\nT1570 Lateral Tool Transfer\r\nFamousSparrow transferred\r\nSparrowDoor to other machines on the\r\nnetwork.\r\nT1021 Remote Services\r\nFamousSparrow has used remote\r\nPowerShell sessions to pivot onto other\r\nmachines in the compromised network.\r\nCollection\r\nT1005 Data from Local System\r\nSparrowDoor can read files from any\r\nlocal system drive.\r\nT1025 Data from Removable Media\r\nSparrowDoor can read files from any\r\nmapped removable drive.\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 19 of 21\n\nTactic ID Name Description\r\nT1039\r\nData from Network Shared\r\nDrive\r\nSparrowDoor can read files from any\r\nmapped network shared drive.\r\nCommand and\r\nControl\r\nT1095\r\nNon-Application Layer\r\nProtocol\r\nSparrowDoor uses raw TCP sockets to\r\ncommunicate with its C\u0026C server.\r\nT1071.001\r\nApplication Layer Protocol:\r\nWeb Protocols\r\nFamousSparrow downloaded additional\r\nfiles from its C\u0026C server over HTTP.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nIn the modular version of SparrowDoor,\r\ndata sent over the network is RC4\r\nencrypted.\r\nT1008 Fallback Channels\r\nSparrowDoor can have up to three C\u0026C\r\nservers in its network configuration.\r\nT1105 Ingress Tool Transfer\r\nFamousSparrow downloaded PowerHub\r\nfrom a server it controls.\r\nT1571 Non-Standard Port\r\nFamousSparrow downloaded PowerHub\r\nover HTTP on port 8080 and over\r\nHTTPs on port 8443.\r\nExfiltration\r\nT1020 Automated Exfiltration\r\nSparrowDoor can exfiltrate the content\r\nof any file requested by the C\u0026C server.\r\nT1030 Data Transfer Size Limits\r\nSparrowDoor splits file content into\r\nchunks of 4 kB.\r\nT1041 Exfiltration Over C2 Channel\r\nSparrowDoor exfiltrates data using the\r\nsame raw TCP socket it uses to\r\ncommunicate with its C\u0026C server.\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 20 of 21\n\nSource: https://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nhttps://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/" ], "report_names": [ "you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow" ], "threat_actors": [ { "id": "f67fb5b3-b0d4-484c-943e-ebf12251eff6", "created_at": "2022-10-25T16:07:23.605611Z", "updated_at": "2026-04-10T02:00:04.685162Z", "deleted_at": null, "main_name": "FamousSparrow", "aliases": [ "Earth Estries" ], "source_name": "ETDA:FamousSparrow", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-10T02:00:03.577326Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon", "RedMike" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a09ade2a-6b87-4f9a-b4f8-23cf14f63633", "created_at": "2023-11-04T02:00:07.676869Z", "updated_at": "2026-04-10T02:00:03.389898Z", "deleted_at": null, "main_name": "Earth Estries", "aliases": [], "source_name": "MISPGALAXY:Earth Estries", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-10T02:00:04.880446Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-10T02:00:05.361244Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-10T02:00:03.845594Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434647, "ts_updated_at": 1775826717, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9a6706736182cf245fd77cc3bef5764d95db16a6.pdf", "text": "https://archive.orkl.eu/9a6706736182cf245fd77cc3bef5764d95db16a6.txt", "img": "https://archive.orkl.eu/9a6706736182cf245fd77cc3bef5764d95db16a6.jpg" } }