015

ESET observed FamousSparrow activity in July 2024 where the actor used an IIS web shell to deploy Base64-encoded .NET web shells that installed two new SparrowDoor backdoor variants (one modular with plugin modules) and ShadowPad against a U.S. trade group and a Mexican research institute; the report details improved parallel command execution, extensive backdoor functionality (proxy, interactive shell, file ops, keystroke logging, RDP screenshots, etc.), and notes the victims ran outdated Windows Server and Exchange instances.