A group of Chinese hackers called FamousSparrow is in the news again for launching new cyberattacks. This time, they targeted a trade group in the United States. But they didn’t stop there. Security experts at ESET, a global cybersecurity company, found that the group also attacked a research institute in Mexico and a government office in Honduras.
Chinese Hackers Strike Again with More Advanced Malware
The hackers broke into these systems by using weak spots in old Microsoft Exchange and Windows Server programs. They took advantage of security flaws that had not been fixed. This let them install secret tools called webshells. These tools gave the hackers remote control over the infected systems without being noticed.
ESET’s research shows that FamousSparrow is more active than experts first thought. The group was exposed in 2022. However, they kept running their spying operations. They also improved their methods and created even more dangerous malware.
What Is SparrowDoor and Why Is It Dangerous?
The new attacks use a powerful backdoor program called SparrowDoor. This harmful software gives hackers full access to infected computers. It lets them steal data, watch activity, and even control the system.
The hackers have created two new versions of SparrowDoor. The updated malware is much more dangerous than before. It has better code, making it more stable and efficient. This also makes it harder for security programs to find and remove.
Another big improvement is parallel command execution. This lets the malware do many tasks at once. It can keep listening for new commands while doing slow tasks, like copying files or running remote commands.
Cyberattack Catastrophe: How Hackers Can Endanger Human Lives ?
The backdoor also uses stealth and persistence techniques. With improved encryption and smarter methods of staying hidden, it becomes more difficult for antivirus programs to detect and eliminate it.
One of the most concerning changes is its modular design. This means the hackers can add new features to the malware while it is still running. They can send extra “plugins” to infected systems in real-time, enhancing the malware’s spying and disruptive capabilities.
These plugins give the malware more power. It can access the computer’s shell and take screenshots of the victim’s screen. It can record keystrokes to steal passwords or other sensitive data. The malware can also steal, delete, or change files. It can create secret network proxies to hide the hackers’ location. It can send stolen data to remote servers and even stop or list running processes.
With these expanded abilities, FamousSparrow can operate silently and efficiently, making it extremely difficult for security systems to detect and block their activities.
The ShadowPad Connection: More Dangerous Tools in Play
One of the most alarming findings in ESET’s report is that FamousSparrow is now using a dangerous tool called ShadowPad. This is a highly advanced Remote Access Trojan (RAT), which acts like a digital Swiss Army knife for hackers. ShadowPad can perform multiple cyberespionage functions, including stealing sensitive data, spreading across networks, and providing remote access to infected systems.
To use ShadowPad, the hackers used a clever trick called DLL side-loading. This method uses a fake Microsoft Office file to secretly run the malware. They disguised it as a renamed Microsoft Office IME file. Then, they injected it into Windows Media Player (wmplayer.exe). This let the malware run without being noticed. It also connected to a hidden command-and-control (C2) server. This gave the hackers direct access to the infected system.
Critical Vulnerabilities: The Dark Side of Pacemaker Technology
Interestingly, ShadowPad is linked to multiple Chinese state-sponsored hacking groups. This suggests that FamousSparrow may now have access to top-tier cyber tools used by other powerful Chinese hacking groups.
Microsoft has grouped FamousSparrow with other Chinese hacking groups. These include GhostEmperor and Earth Estries. They call them Salt Typhoon. ESET tracks them as separate groups. However, they admit the groups use similar tools and methods. This suggests they may share resources or work with the same underground supplier.
