Chinese ‘FamousSparrow’ hackers back from the dead and targeting North America, researchers say

A Chinese government hacking group thought to be dormant since 2022 has allegedly been targeting organizations in the U.S., Mexico and Honduras.

Researchers from the cybersecurity firm ESET said Wednesday they were investigating suspicious activity on the network of a U.S. trade group when they found hacking tools previously linked to a group named FamousSparrow. 

Further investigation revealed the group had upgraded the backdoor tool it had become known for, called — SparrowDoor. ESET found two previously undocumented versions on victim networks. 

“While these new versions exhibit significant upgrades, they can still be traced back directly to earlier, publicly documented versions,” said ESET researcher Alexandre Côté Cyr. 

Cyr said there are “substantial” code overlaps with samples of the backdoor that were previously attributed to FamousSparrow. 

FamousSparrow is a cyberespionage group active since at least 2019, according to ESET, and has deployed its SparrowDoor backdoor in dozens of attacks. ThereBut there had been no publicly documented activity by FamousSparrow since 2022.

The group was well-known for targeting hotels and was implicated in attacks on hotels in France, Lithuania, the U.K. Israel, Saudi Arabia, Brazil, Canada, Guatemala, Taiwan and Burkina Faso.

ESET said recent investigations discovered other activity from FamousSparrow between 2022 and 2024, including attacks on a government organization in Honduras and a research institute in Mexico.

A report on the recent incidents notes that while it is unclear which exploit was used to gain access to the victim networks, some were “running outdated versions of Windows Server and Microsoft Exchange, for which there are several publicly available exploits.”

The hackers used an array of custom-made tools and malware, as well as other mechanisms deployed by Chinese government-backed groups. The tools, which included well-known Chinese malware ShadowPad, allowed the hackers to transfer files, monitor system changes, take screenshots, run commands and log keystrokes. 

ESET researchers noted that in the past year several cybersecurity companies have tied FamousSparrow to other Chinese operations and conflated them with groups like GhostEmperor. 

“Based on our data and analysis of the publicly available reports, FamousSparrow appears to be its own distinct cluster with loose links to the others,” Côté Cyr said.

FamousSparrow was one of the first APTs to mount attacks using the ProxyLogon vulnerability in Microsoft Exchange email servers. ESET said the group weaponized ProxyLogon just one day after Microsoft disclosed the vulnerability's existence, with the first attacks recorded on March 3, 2021.

ESET noted the group has also targeted governments, international organizations, engineering companies and law firms.