Famous Sparrow, a cyber espionage group that targets hotels around the world, as well as governments, international organizations, engineering companies and law firms.

The Advanced Persistent Threats (APT) group, FamousSparrow, has been exploiting the Microsoft Exchange vulnerability known as ProxyLogon, which allows hackers to take control of Exchange servers.

The attacks began as early as the day after patches for the ProxyLogon vulnerability were released in March 2021. This is another reminder that it is essential to patch Internet applications quickly or, if it is not possible to do so quickly, not to expose them to the Internet

The victims are found throughout the world, in Europe (France, Lithuania, United Kingdom), the Middle East (Israel, Saudi Arabia), America (Brazil, Canada, Guatemala), Asia (Taiwan) and Africa (Burkina Faso).

Famous Sparrow is believed to have ties to other well-known APT groups as well. It is believed to have been active since 2019.

FamousSparrow is currently the only user of a custom backdoor that we discovered in the research and called SparrowDoor. The group also uses two custom versions of Mimikatz. The presence of any of these custom malicious tools could be used to connect incidents to FamousSparrow.