FamousSparrow Upgrades Toolkit in Targeted Attacks on U.S. and Mexico
The Chinese threat actor FamousSparrow launched coordinated attacks on a U.S. trade group and a Mexican research institute in late 2024 and early 2025, marking a significant evolution in their tactics and toolset. The group deployed two new variants of its custom backdoor, SparrowDoor, one improved and the other modular, while incorporating ShadowPad for the first time, a backdoor commonly used by other Chinese state-sponsored clusters. Initial access was achieved through a web shell planted on outdated Microsoft IIS servers, with both victims running legacy versions of Windows Server and Exchange Server. The attackers used a remote script to deliver a Base64-encoded .NET web shell that triggered the deployment of both SparrowDoor and ShadowPad. This shift in tooling reflects FamousSparrow's ongoing investment in stealth, persistence, and adaptability across compromised environments. The first variant of SparrowDoor now supports concurrent command execution by spawning separate threads for different instructions, allowing seamless interaction with the command-and-control infrastructure. Each thread maintains a dedicated connection to the C2 server and sends unique victim and command identifiers to manage tasks in parallel. Supported operations include launching shell sessions, file transfers, filesystem navigation, and system information collection, with the added capability to self-delete. The second variant adopts a modular, plugin-based design with nine functional modules for tasks like keystroke logging, screenshot capture, TCP proxy setup, and process management. These updates and similarities to Crowdoor and overlaps with other known Chinese APT groups confirm that FamousSparrow is actively developing and refining its malware arsenal for highly targeted, long-term operations.
Update: EncryptHub Exploits MMC Zero-Day to Deliver Custom Malware and Stealers
EncryptHub, a threat group linked to Russian activity cluster Water Gamayun, leveraged a Windows zero-day (CVE-2025-26633) to deliver a variety of malware including Rhadamanthys, StealC, and its proprietary tools. The vulnerability lies in how the Microsoft Management Console (MMC) handles Multilingual User Interface Paths, allowing attackers to trick the system into executing a malicious .msc file. The exploit involves planting two identically named .msc files, one legitimate and one weaponized, where the malicious version is stored under an "en-US" subdirectory. Due to how MMC resolves file paths, the system loads the malicious file, enabling silent code execution. This method, dubbed MSC EvilTwin, was used to drop payloads, steal data, and establish long-term access to infected machines. The attackers also used alternative methods involving .msc files to execute malicious payloads. One technique abuses MMC’s ExecuteShellCommand to pull down a second-stage loader, while another bypasses UAC using spoofed directories resembling trusted Windows paths. Initial infection often starts through signed MSI installers impersonating Chinese apps, which then fetch the PowerShell-based EvilTwin loader. Custom malware families observed in this campaign include EncryptHub Stealer, SilentPrism, and DarkWisp backdoors, collectively tracked by some vendors as EncryptRAT. Active since at least April 2024, this campaign is still evolving, showcasing EncryptHub’s focus on stealth, persistence, and data theft through zero-day exploitation and social engineering.
RedCurl Unleashes QWCrypt Ransomware in Shift from Espionage to Disruption
RedCurl, previously known for corporate espionage and data theft, has now pivoted toward ransomware with the discovery of QWCrypt—a new strain designed to target Hyper-V servers. This change marks their first known use of ransomware and indicates a tactical shift in their objectives. QWCrypt is a Go-based executable packed with UPX and built to encrypt virtual machines hosted on hypervisors while intentionally avoiding specific machines functioning as network gateways, suggesting a calculated move to disrupt internal IT systems without halting core connectivity. The ransomware comes preloaded with a hardcoded personal ID and a public RSA key, implying the existence of a matching private key held by the attackers for potential decryption upon ransom payment. The toolset and target selection indicate a refined and targeted approach with high familiarity with enterprise environments. The infection chain remains aligned with RedCurl’s prior operations, beginning with spear-phishing campaigns that use IMG files disguised as resumes. These lure files initiate DLL sideloading through trusted Adobe binaries, enabling stealthy execution of the ransomware. Once embedded, the attack relies on tailored batch scripts to disable security defenses, including Windows Defender, and leverages Living Off The Land methods using native Windows tools like pcalua[.]exe and rundll32[.]exe. This level of system awareness and customization suggests extensive reconnaissance and pre-infection groundwork. The exclusive focus on Hyper-V servers, while deliberately preserving gateway functionality, signals a strategy aimed at internal disruption without triggering broader business outages. This escalation in RedCurl's capabilities emphasizes the growing complexity of modern threat actors and reinforces the need for proactive, layered defense strategies across enterprise networks.
