Famous Sparrow
Famous Sparrow is a suspected China-nexus advanced persistent threat (APT) group active since at least 2019. It has a history of targeting hotels, governments, international organizations, and law firms. Recent reporting (Cisco Talos) assesses with high confidence that a China-linked cluster tracked as UAT-9244 closely overlaps with / is closely associated with Famous Sparrow and has targeted telecommunications providers/critical telecommunications infrastructure in South America since 2024 to maintain persistent access to communications infrastructure. In the UAT-9244 telecom-focused activity associated with Famous Sparrow, Talos reported use of three malware/tool families: (1) TernDoor, a Windows backdoor assessed as a CrowDoor variant with lineage back to SparrowDoor (long attributed to Famous Sparrow), deployed via DLL side-loading and executed in-memory (observed injected into msiexec.exe), with persistence via scheduled tasks and Registry Run keys and use of a malicious driver to suspend/terminate processes; (2) PeerTime, a multi-architecture Linux ELF backdoor (including ARM/MIPS/PowerPC/AArch64) using BitTorrent-based peer communications for instruction/payload retrieval, with tooling containing Simplified Chinese debug strings; and (3) BruteEntry, a Go-based credential brute-forcing/scanning tool used to scan and brute-force exposed services (including SSH, Postgres, and Tomcat) and to create ORB-like mass-scanning proxy/relay nodes on compromised edge devices. Aliases/related tracking noted in the content: FamousSparrow (stylistic variant) and the closely associated cluster designation UAT-9244; Talos also assessed overlap between UAT-9244 and Tropic Trooper.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Where they're from
Attributed origin per open-source reporting.
- CN
Tradecraft
11 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
5 malware families attributed to this actor across reporting.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Referenced as an associated China-nexus APT actor linked to UAT-9244 activity.
Suspected Chinese APT compromising telecommunications infrastructure across South America using new tooling and backdoors for Windows and Linux.
China-linked espionage actor assessed as overlapping with UAT-9244; historically targets hotels, governments, international organizations, and law firms, and is linked in this reporting via malware lineage (SparrowDoor -> CrowDoor -> TernDoor).
China-linked cyberespionage group active since at least 2019; referenced here as overlapping with UAT-9244 and historically associated with SparrowDoor lineage (via CrowDoor/TernDoor).
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.