Full Report
Once considered inactive, the Chinese cyber espionage group FamousSparrow has reemerged, targeting organizations across the US, Mexico and Honduras
Analysis Summary
# Threat Actor: FamousSparrow
## Attribution & Identity
* **Identification:** China-linked hacking group, widely believed to be backed by China.
* **Aliases/Associations:** Connected with other Chinese-backed APT groups, including Earth Estries (observed conducting a related campaign against government and tech organizations).
* **Unique Association:** The only known actor to employ the **SparrowDoor** backdoor.
## Activity Summary
* **Status:** Recently resurfaced after being considered dormant since 2022.
* **Recent Campaigns (March 2025 findings):** Compromised several organizations in the US, a trade group in the US financial sector, a research institute in Mexico, and a governmental institution in Honduras.
* **Historical Activity:** Active since at least 2019. First publicly documented in 2021 exploiting the ProxyLogon vulnerability.
## Tactics, Techniques & Procedures
* Exploiting the **ProxyLogon vulnerability** (observed in 2021 activity).
* Use of the custom backdoor named **SparrowDoor**.
* Generally described as a cyber espionage actor.
## Targeting
* **Sectors:** Financial sector (trade group), governments, international organizations, engineering firms, law firms, and research institutes.
* **Geography:** Global scope historically (observed targeting hotels worldwide); currently targeting the **US**, **Mexico**, and **Honduras**.
* **Victims:** A trade group in the US financial sector, a research institute in Mexico, and a governmental institution in Honduras.
## Tools & Infrastructure
* **Malware Families Used:** SparrowDoor (backdoor).
* **Infrastructure:** Not explicitly detailed in the summary, but activity is linked to cyber espionage campaigns. (No defanged URLs/IPs provided in the source for this section).
## Implications
* The group presents a resurgent threat following perceived dormancy, indicating sustained operational capability despite gaps in reporting.
* Their shift in targeting to include financial sector trade groups alongside governmental bodies suggests an expanded intelligence gathering mandate.
## Mitigations
* Implement detection and remediation measures for the SparrowDoor backdoor.
* Given their history of exploiting vulnerabilities like ProxyLogon, urgent patching and vulnerability management, especially for edge devices, is critical.
* Monitor beaconing traffic indicative of command and control communication associated with known nation-state espionage activities.