FamousSparrow: A suspicious hotel guest
FamousSparrow is a group that is considered as the only current user of the custom backdoor, SparrowDoor.
It also uses two custom versions of Mimikatz that could be used to connect incidents to this group. While they consider FamousSparrow to be a separate entity, they found connections to other known APT groups.
In one case, attackers deployed a variant of Motnug that is a loader used by SparklingGoblin.
In another case, on a machine compromised by FamousSparrow, they found a running Metasploit with cdn.kkxx888666[.]com as its C&C server.
This domain is related to a group known as DRBControl.
Featured Resources
Subscribe to Our Blog
Subscribe now to get the latest insights, expert tips and updates on threat exposure validation.
Subscribe