| Github | https://github.com/seraphimdeck/SerapHim-CTI |
| OTX-Alienvault | https://otx.alienvault.com/user/seraphimltd/pulses |
| Contact | [email protected] |
[PHIM] F11 — .text section entropy: 6.59/8.0
Typical code section range: 5.0–5.5
Packed/encrypted: approaching 8.0
SparrowDoor .text: 6.59 — anomalous.
Per-section breakdown:
.text → 6.59 (ANOMALOUS)
.rdata → 5.12 (normal)
.data → 2.25 (sparse, Stage 2 not embedded)
.rsrc → 4.88 (normal)
.reloc → 4.59 (normal)
.data at 2.25 confirms MpSvc.dll loaded from disk
at runtime — payload not embedded in Stage 1.
not present in public vendor reporting.
FamousSparrow / SparrowDoor static analysis.
Legacy variant (2019-2022), SHA256: 8dfaa1f579...
4 findings not present in public vendor reporting
at time of analysis (ESET, UK NCSC, Trend Micro, Microsoft)
→ Inverted anti-sandbox logic
→ Three-table substitution system
→ .text section entropy anomaly
→ 113 indirect call sites in 26KB binary
Thread: [PHIM] findings only.
Full report: https://github.com/seraphimdeck/SerapHim-CTI
