SparrowDoor
SparrowDoor is a custom backdoor and the flagship malware associated with the China-aligned cyberespionage group FamousSparrow. Public reporting describes FamousSparrow using SparrowDoor since at least 2019 in espionage intrusions targeting hotels worldwide as well as governments, international organizations, engineering companies, law firms, and later victims in the United States and Latin America, including Mexico, Honduras, Argentina, Chile, Ecuador, Guatemala, and Panama. ESET reported FamousSparrow likely gained initial access by exploiting vulnerable internet-facing applications, including Microsoft Exchange ProxyLogon, Microsoft SharePoint, and Oracle Opera, and in later cases likely deployed IIS webshells on outdated Windows Server and Exchange systems before delivering SparrowDoor.
SparrowDoor is staged through DLL side-loading / DLL search-order hijacking. Earlier reporting described use of the legitimate K7 Computing executable Indexer.exe to load a malicious K7UI.dll, which decrypts and executes an encrypted shellcode file MpSvc.dll from %PROGRAMDATA%\Software. Later intrusions used a trident loader with K7AVMScn.exe for side-loading an RC4-encrypted SparrowDoor payload. The decrypted payload contains a custom configuration and reflective loader shellcode. Persistence has been observed via both a Windows service and Registry Run keys; reported service / Run names include K7Soft, and earlier reporting also noted persistence controlled by hardcoded configuration data.
Capabilities directly reported for SparrowDoor include collection of host and system information, HTTPS-based C2 communications, interactive shell access via cmd.exe and named pipes, file and directory operations, file listing, file exfiltration / file I/O, process creation with stolen tokens, shellcode injection, proxying, drive enumeration, network configuration changes, persistence relaunch, self-uninstall, and enabling SeDebugPrivilege. Earlier versions used command-line arguments including -i, -k, and -d to control execution flow. One newly reported variant used process hollowing of colorcpl.exe and executed its main logic when launched with command-line argument 22. SparrowDoor has also been reported to store or derive a victim identifier from HKLM\Software\CLASSES\CLSID\ID, with fallback to HKCU.
Configuration and crypto details reported in the source material include decryption of one SparrowDoor configuration with XOR key ^&32yUgf, a C2 domain credits.offices-analytics[.]com, outbound XOR encryption key hH7@83#mi, inbound XOR decryption key h*^4hFa, and RC4-encrypted network traffic in a modular variant using hardcoded key iotrh^%4CFGTj. ESET reported two previously undocumented SparrowDoor versions discovered in 2024 activity, including a modular variant with improved architecture and parallelized command handling. Reporting also states that one of these newer variants resembles Trend Micro's CrowDoor, and multiple sources characterize CrowDoor as a SparrowDoor variant. Cisco Talos further described TernDoor as a CrowDoor variant and therefore part of the SparrowDoor lineage.
SparrowDoor is strongly tied to FamousSparrow in the provided reporting. ESET assessed with high confidence that 2024 intrusions in a U.S. financial-sector trade group and a Mexican research institute were attributable to FamousSparrow based on exclusive SparrowDoor lineage, loader code overlaps, and similar C2 communication patterns. Additional reporting cited FamousSparrow activity against a governmental institution in Honduras and later governmental entities in Argentina, Ecuador, Guatemala, Honduras, and Panama. High-confidence indicators mentioned in the content include credits.offices-analytics[.]com, 45.131.179[.]24, and the registry path HKLM\Software\CLASSES\CLSID\ID used for victim identification.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Both groups were also early exploiters of the ProxyLogon vulnerability (CVE-2021-26855) and have used some of the same publicly available tools. | the compromised network revealed not one, but two previously undocumented versions of SparrowDoor, FamousSparrow’s flagship backdoor. Both of these versions of SparrowDoor constitute marked progress over earlier ones...
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
This attack chain was attempting to load the Crowdoor loader, which is half-named after the SparrowDoor backdoor, detailed by ESET... Also, the command-line argument “2” found in a variant related to Tropic Trooper samples is very similar to SparrowDoor “-k” switch functionality.
This attack chain was attempting to load the Crowdoor loader, which is half-named after the SparrowDoor backdoor, detailed by ESET... Also, the command-line argument “2” found in a variant related to Tropic Trooper samples is very similar to SparrowDoor “-k” switch functionality.
TAG-141 (FamousSparrow) leveraged SparrowDoor malware against entities in Mexico, Argentina, and Chile.
CrowDoor is a variant of SparrowDoor, another backdoor attributed to FamousSparrow.
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
1 technique
Initial Access
In order to gain initial access to the affected network, FamousSparrow deployed a webshell on an IIS server. While we were unable to determine the exact exploit used to deploy the webshells, both victims were running outdated versions of Windows Server and Microsoft Exchange, for which there are several publicly available exploits.
Execution
5 techniques
Execution
ESET's experts found that the China-aligned cyberespionage outfit has hit its targets with two previously undocumented versions of their flagship backdoor called SparrowDoor. Importantly, the group was also observed using the ShadowPad backdoor for the first time.
In the cases we observed, this was used to spawn an interactive remote PowerShell session. Once this session was established, attackers used legitimate Windows tools to obtain information about the host and the Active Directory domains to which it was joined.
First, the backdoor sends back an acknowledgment message... It then spawns a cmd.exe process and uses a pair of threads and named pipes to relay commands and their output between the C&C server and the shell.
Persistence
2 techniques
Persistence
Privilege Escalation
4 techniques
Privilege Escalation
When executed with the argument 11 , the backdoor launches the Windows color management tool ( colorcpl.exe ) with a command line argument of 22 and injects its loader into the newly created process.
Table 1. Command line arguments for SparrowDoor Argument Behavior ... 11 Process hollowing of colorcpl.exe .
Stealth
6 techniques
Stealth
When executed with the argument 11 , the backdoor launches the Windows color management tool ( colorcpl.exe ) with a command line argument of 22 and injects its loader into the newly created process.
Table 1. Command line arguments for SparrowDoor Argument Behavior ... 11 Process hollowing of colorcpl.exe .
The script contains a base64-encoded .NET webshell that it writes to C:\users\public\s.txt . It then decodes it using certutil.exe and saves the decoded output to C:\users\public\s.ashx .
MITRE ATT&CK techniques ... SparrowDoor launches the process into which it injects the loader, with its window hidden.
Discovery
2 techniques
Discovery
Lateral Movement
1 technique
Lateral Movement
Command and Control
5 techniques
Command and Control
The resulting plaintext is the C&C server configuration, which consists of three pairs of addresses and ports... After loading this configuration, the backdoor will try to connect to the first server... then the next server, and so on.
The threat actor initially downloaded a batch script over HTTP from a download server... They then downloaded PowerHub... Finally, the attacker used PowerShell’s built-in Invoke-WebRequest to download three files from the same server.
SparrowDoor uses raw TCP sockets to communicate with its C&C server.
They then downloaded PowerHub, an open-source post-exploitation framework, from an attacker-controlled server... Finally, the attacker used PowerShell’s built-in Invoke-WebRequest to download three files from the same server that comprise SparrowDoor’s trident loader.
IOCs tracked for this family
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware used by TAG-141 (FamousSparrow) against entities in multiple LAC countries.
Referenced as the parent backdoor family in the lineage described (Crowdoor is a variant of SparrowDoor); no additional capabilities described in the provided content.
Backdoor family referenced as the parent lineage for CrowDoor; attributed in the content to Famous Sparrow.
Backdoor used by the Chinese threat actor FamousSparrow in attacks on U.S. and Mexican organizations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.