The Tower of Sparrows: Earth Estries

Threat Intelligence Tarot

Vol. II · 117

China

★★★★★

risk 4/5

✦ The Tower of Sparrows ✦

Earth Estries

FamousSparrow · GhostEmperor-adjacent · UNC2286

TelecommunicationsGovernmentTechnologyAsia-PacificSouth America

Active since ~2020 · Telecommunications espionage, Government intelligence

The Tower of Sparrows is built one breach at a time, each compromised carrier becoming a perch from which to watch the rest. By the time defenders see the silhouette, the tower is taller than the skyline.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1190

Exploit Public-Facing Application

Initial Access

T1505.003

Web Shell

Persistence

T1014

Rootkit

Defense Evasion

T1071.001

Web Protocols

Command and Control

T1027

Obfuscated Files or Information

Defense Evasion

T1078

Valid Accounts

Persistence

Notable Operations

◆Telecom backbone intrusions across 2023-2024 (Trend Micro disclosure)
◆Demodex kernel-mode rootkit deployments
◆Zingdoor and HemiGate backdoor families
◆Crowdoor implant against Asia-Pacific governments

Defenses

▸
Telecom-sector ISAC participation and IOC sharing
NIST CSF: RS.CO ↗
▸
Kernel driver allowlisting and signed-driver scrutiny
MITRE D3FEND
▸
Network device firmware integrity monitoring
NIST CSF: PR.DS ↗
▸
Web shell scanning on all internet-facing servers
NIST CSF: DE.CM ↗

Reversed: Their Weakness

Telecom-sector intelligence sharing through national CERTs is its primary counterweight. When carriers share IOCs before regulators do, the tower stops growing.

Share this adversary profile

Compare →

← → arrow keys to browse

swipe to browse

← PreviousThe Heartbeat Next →The Threshold Walker

Related Adversaries

The Throne of Drivers

Data sourced from MITRE ATT&CK. For educational purposes.