New Variants of SparrowDoor Backdoor Discovered in Cyberattacks on U.S. and Mexican Entities
March 26, 2025
A notable cyber incident has linked the Chinese threat actor known as FamousSparrow to an attack on a U.S.-based trade organization and a research institute in Mexico. The attack, which occurred in July 2024, involved the deployment of the notorious SparrowDoor backdoor along with ShadowPad, marking the first known usage of this malware by the group.
According to a report from ESET shared with The Hacker News, FamousSparrow introduced two previously undocumented variants of the SparrowDoor backdoor, one of which is modular in design. These new iterations demonstrate significant advancements over earlier versions, incorporating command parallelization that enhances their operational efficiency.
FamousSparrow first came to light in a 2021 report by the Slovak cybersecurity firm, which documented the group’s involvement in a series of cyberattacks targeting various sectors, including hospitality, government, engineering, and legal services. The backdoor, SparrowDoor, is exclusively utilized by this actor, suggesting a focused strategy in targeting vulnerable sectors for data exfiltration and potential disruption.
The implications of these attacks extend beyond the immediate impact on the targeted organizations. Businesses should be aware that such sophisticated methodologies often employ techniques outlined in the MITRE ATT&CK framework, specifically those associated with initial access, persistence, and privilege escalation. For instance, adversaries may exploit vulnerabilities in software or use phishing tactics to gain entry into systems, followed by maintaining access through backdoors like SparrowDoor.
The introduction of modular design in the recent SparrowDoor variants could indicate a broader strategy aimed at increasing resilience and adaptability in cyber operations. This is further compounded by the historical use of ShadowPad, a malware significantly employed by Chinese state-sponsored groups, revealing a persistent and evolving threat landscape.
As cyber threats continue to advance, business owners must remain vigilant and proactive in their cybersecurity strategies. Awareness of such attacks and the tactics employed can not only inform better security protocols but also foster a culture of preparedness against potential intrusions. The incident serves as a stark reminder of the necessity for continuous monitoring and updating of security measures to counteract the ever-changing nature of cyber threats.
Assessing the tactics and techniques used in these recent attacks can provide valuable insights for enhancing an organization’s cybersecurity posture. With the potential for significant financial and reputational damage, prioritizing robust defensive measures is imperative in today’s increasingly risky digital environment.
