CrowDoor
CrowDoor is a Windows backdoor malware family and a variant of SparrowDoor. It has been used in China-nexus intrusion activity and is associated in the provided reporting with Earth Estries, Salt Typhoon, UAT-9244, and UAT-8302-linked tooling chains; Cisco Talos also describes TernDoor as a CrowDoor variant and notes Draculoader is used to deliver CrowDoor. Reported targeting includes telecommunications infrastructure in South America and broader government and technology victims in activity attributed to China-linked clusters.
Based on the supplied content, CrowDoor supports multiple execution modes depending on a command-line argument. When run with no argument or with argument 0, it sets persistence via a Windows Registry Run key or a service and restarts itself. With argument 1, it restarts by injecting into msiexec.exe. With argument 2, it invokes the main backdoor function. The newer variant differs from older variants by using msiexec.exe as the injected process and by changing command/function IDs.
Capabilities directly described in the content include establishing an initial C2 connection, collecting host information such as computer name, username, OS version, and host/IP information, providing a remote shell, deleting malware files, removing persistence and exiting, and performing file operations including open/read, open/write, drive enumeration, file search, directory creation, rename, and delete. The malware also includes explicit functionality for communication with a command-and-control server.
Persistence mechanisms explicitly mentioned include Registry Run key modification and Windows service creation. The content also states CrowDoor uses process injection into legitimate processes such as msiexec.exe via CreateRemoteThread or NtCreateThreadEx. Reported package combinations associated with CrowDoor include WinStore.exe with Sqlite3.dll, K7Sysmon.exe with K7Sysmn1.dll/K7Sysmn2.dll/K7Sysmn3.dll, HxTsk.exe with d3d8.dll, and MsMsRng.exe with sqlite3.dll and msimg32.dll; some components are described as stored encrypted.
In the supplied reporting, CrowDoor is discussed in operations involving lateral movement and collection activity by Earth Estries, including use alongside PSExec, WMIC, CAB-packaged payloads, batch scripts, Cobalt Strike, and credential theft tooling such as TrillClient. One report also states Salt Typhoon used CrowDoor for persistence through a combination of registry modifications and service creation.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"Crowdoor will perform different actions based on the corresponding argument... Persistence is set through the registry Run key or a service... The backdoor is restarted by injecting to 'msiexec.exe'... Remote shell... File related Operation... Communication with C&C server"
A variant of Crowdoor (itself a variant of SparrowDoor), the backdoor is said to have been put to use by UAT-9244 since at least November 2024.
TernDoor is a variant of CrowDoor, a backdoor deployed in recent intrusions linked to China-nexus APTs such as FamousSparrow and Earth Estries. CrowDoor is a variant of SparrowDoor...
TernDoor is a variant of CrowDoor, a backdoor deployed in recent intrusions linked to China-nexus APTs such as FamousSparrow and Earth Estries. CrowDoor is a variant of SparrowDoor...
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
2 techniques"However, in some instances, WMIC may be used in its place to achieve similar results."
"A set of batch files will then be copied and executed to perform the extraction, installation, and execution of the malware."
Persistence
2 techniquesPrivilege Escalation
3 techniques"Persistence is set through the registry Run key or a service and the backdoor is restarted"
Stealth
1 techniqueDiscovery
3 techniquesLateral Movement
1 technique"Earth Estries uses PSExec to laterally install its backdoors and tools... by copying the CAB files... and a batch file to perform the installation"
Collection
1 technique"archived using the tar command"; "Earth Estries utilizes RAR for collecting information of interest"
Command and Control
1 technique"copying the CAB files containing the backdoors or tools, and a batch file to perform the installation"; "uses wget to download target documents"
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Payload delivered by Draculoader.
Referenced as a related backdoor family (variant lineage: Crowdoor -> SparrowDoor) used for comparison with TernDoor; specific functional details are not provided beyond its relationship/overlap.
Windows backdoor family (and a SparrowDoor variant) used in China-nexus intrusions; TernDoor is described as a newly observed variation with different command codes and an embedded encrypted driver for process control/evasion.
Backdoor that persists via Run-key registry modification and/or Windows service creation; supports process injection (e.g., into msiexec.exe) and encrypted C2 communications with command/tasking capabilities (file ops, remote shell, etc.).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.