Once presumed dormant, the China-aligned advanced persistent threat (APT) group FamousSparrow has made its way back onto the global cyber stage — armed with a more powerful toolkit and newly observed tactics. According to recent findings from ESET Research, this elusive cyberespionage group has compromised targets in the U.S., Mexico, and Honduras, deploying upgraded malware and, for the first time, utilizing the infamous ShadowPad backdoor.
From Shadows to Spotlight
FamousSparrow, thought to have been active since 2019 but only first spotlighted in 2021 for exploiting the ProxyLogon vulnerability, has not been publicly linked to any campaigns since 2022. Many assumed the group had gone quiet, but ESET’s 2025 investigation into a U.S.-based financial trade group revealed that FamousSparrow is more than active; it has significantly evolved.
Two previously undocumented versions of the group’s hallmark malware SparrowDoor were discovered, both boasting major enhancements in code quality and architecture. One of those versions, now modular, allows dynamic loading capabilities, likely in an effort to avoid detection and increase flexibility in executing attacks.
A New Arsenal
The most worrisome discovery is FamousSparrow’s debut use of ShadowPad, a modular and widely feared backdoor typically reserved for China-aligned threat groups. ShadowPad, first tied to APT41 and used in major cyberespionage campaigns, allows deep network penetration, remote control, and stealthy data exfiltration.
Together, the new SparrowDoor variants and ShadowPad signify a formidable upgrade in the group’s cyber weaponry. The tools allow attacks to perform tasks such as:
- Interactive command shell sessions
- File system navigation, manipulation, and transfer
- Process monitoring and control
- Keylogging and screenshot capture
- Proxying traffic to mask origins and destinations
FamousSparrow also employed open-source tools like PowerHub, Spark RAT, and privilege-escalation exploits such as BadPotato, blending custom and commodity malware for layered intrusions.
Implications for the U.S. and Cybersecurity Pros
The targeting of a U.S. financial trade group is particularly concerning. It suggests a strategic interest in economic infrastructure and signals that APT groups continue to find success exploiting outdated systems like legacy Microsoft Exchange servers and Windows Server instances.
Cybersecurity professionals across the public and private sectors must take heed. The resurgence of FamousSparrow underscores several critical realities:
- Advanced actors don’t always stay silent — they evolve. While activity may pause on the surface, development continues underground. Dormancy doesn’t mean disappearance.
- Tool sharing is becoming more fluid. ShadowPad’s spread among China-linked groups supports theories of a centralized “digital quartermaster” distributing cyber tools across APT ecosystems.
- Attribution remains murky. Though Microsoft recently linked FamousSparrow with Salt Typhoon and GhostEmperor, ESET cautions that such groupings may oversimplify complex relationships between APT actors.
What’s Next?
The campaign marks a chilling reminder: Nation-state actors are actively investing in espionage capabilities, especially against soft targets with legacy infrastructure. With modular tools like SparrowDoor and ShadowPad now in FamousSparrow’s playbook, organizations must double down on defense-in-depth strategies, zero-trust frameworks, and proactive threat hunting.
