SparrowDoor

SparrowDoor is a custom backdoor associated with the China-linked espionage group FamousSparrow. Reporting describes it as the group’s main or flagship backdoor and attributes its use against hotels worldwide as well as government, international organization, engineering, law firm, and other entities in countries including Brazil, Burkina Faso, South Africa, Canada, Israel, France, Guatemala, Lithuania, Saudi Arabia, Taiwan, Thailand, the United Kingdom, and, in later activity, Mexico, Argentina, Chile, Ecuador, Honduras, and Panama. ESET assessed FamousSparrow exploited vulnerable internet-facing applications, including Microsoft Exchange ProxyLogon, Microsoft SharePoint, and Oracle Opera hotel-management software, to deploy SparrowDoor; later reporting also states FamousSparrow likely exploited ProxyLogon flaws in Microsoft Exchange Server to deploy it in 2025 campaigns.

SparrowDoor is staged via DLL search-order hijacking using the legitimate K7 Computing executable Indexer.exe, a malicious K7UI.dll, and an encrypted shellcode file MpSvc.dll, with staging files dropped in %PROGRAMDATA%\Software. K7UI.dll patches Indexer.exe execution flow, loads and decrypts MpSvc.dll, and executes shellcode that rebuilds and launches an in-memory backdoor image lacking PE headers. Persistence is established via a registry Run key and a Windows service using hardcoded configuration data. SparrowDoor uses command-line arguments including -i, -k, and -d to control execution flow.

Capabilities directly described in the source material include collecting host and system information, communicating with a C2 domain over HTTPS on port 443, attempting direct connection before falling back to proxy settings, file and directory operations, file exfiltration, process creation with stolen tokens, shellcode injection, and command execution through cmd.exe. It can provide an interactive reverse shell using named pipes for I/O and enables SeDebugPrivilege by adjusting its process token. Configuration is decrypted with XOR key ^&32yUgf and includes the C2 domain credits.offices-analytics[.]com; outbound data is XOR-encrypted with key hH7@83#mi and inbound data decrypted with key h*^4hFa.

The content also notes that CrowDoor is a variant of SparrowDoor, and TernDoor is described as a variant of CrowDoor, indicating SparrowDoor as the root of a related backdoor lineage used in later China-linked intrusions.