Robert Lipovsky

The Curse of Salt Typhoon: FamousSparrow Goes After the US Financial Sector

In mid 2024, we discovered an ongoing compromise at an organization in the United States that operates in the financial sector. The threat actor behind this attack is FamousSparrow, a cyberespionage group active since at least 2019 and known for targeting governments and hotels around the world. The group, which we believe is aligned with China’s interests, has mostly flown under the radar since 2022, but is now back with an updated arsenal, including a previously undocumented modular version of SparrowDoor.

This presentation will show a more complete picture of the group’s TTPs through collaboration with the targeted organization and EDR data. We will document this, along with the most interesting tools that were used, including details on two SparrowDoor backdoor variants used exclusively by FamouSparrow. We will also provide insight into how FamousSparrow operates inside the network after gaining initial access, and how defenders can use this knowledge to detect and prevent such malicious activity.

This talk examines potential connections between FamousSparrow and other China-aligned threat actors — including Salt Typhoon, GhostEmperor, and Earth Estries. Using this incident as a case study, we illustrate why attribution and connections between the groups can be difficult, and propose approaches that would make the process more effective.

Robert Lipovsky is a Principal Threat Intelligence Researcher for ESET, with more than 15 years of experience in cybersecurity and a broad spectrum of expertise covering both targeted APTs and e-crime. He is responsible for threat intelligence and malware analysis and leads the Malware Research Team at ESET headquarters in Bratislava.

When not bound to a keyboard, he enjoys traveling, playing guitar and flying single-engine airplanes.