Three Waves, One Unpatched Entry Point
A threat actor affiliated with China has been linked to a multi-wave intrusion campaign targeting an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026. Security researchers at Bitdefender attributed the activity with moderate-to-high confidence to a hacking group known as FamousSparrow (aka UAT-9244), which shares tactical overlap with clusters tracked as Earth Estries and Salt Typhoon.
What makes the campaign notable is that the attackers exploited and re-exploited the same vulnerable Microsoft Exchange Server entry point despite multiple remediation attempts, swapping backdoors with each wave rather than establishing a single persistent foothold. The initial access was achieved through the ProxyNotShell chain, a set of well-known Microsoft Exchange vulnerabilities.
Three Distinct Malware Payloads
The first wave, detected on December 25, 2025, saw attackers deploy a web shell for persistence before ultimately delivering Deed RAT (aka Snappybee) through an evolved DLL side-loading technique. Unlike standard DLL side-loading that relies on simple file replacement, this method overrode two specific exported functions within a malicious library, using the legitimate LogMeIn Hamachi binary as the host. Bitdefender described this as a two-stage trigger that gates the Deed RAT loader’s execution through the host application’s natural control flow, representing a significant evolution in defense evasion.
The second wave struck in late January and early February 2026, nearly a month after the initial intrusion. This time the adversary attempted to drop a different backdoor called TernDoor via Mofu Loader, a shellcode loader previously attributed to the China-linked group GroundPeony. The TernDoor backdoor had previously been observed in attacks targeting telecommunications infrastructure in South America since 2024.
The third wave hit in late February 2026, when the threat actors once again returned to the same entry point to deploy a modified version of Deed RAT featuring the command-and-control domain sentinelonepro[.]com. This indicated active efforts to refine and evolve the malware arsenal between campaigns. Lateral movement was observed across all three waves, with the attackers working to broaden access within the compromised network and establish redundant footholds for resilience.
Geopolitical Context and Strategic Implications
Bitdefender noted that the targeting extends known FamousSparrow victimology into a region where Azerbaijan’s role in European energy security has materially increased following the 2024 expiration of Russia’s Ukraine gas transit agreement and 2026 Strait of Hormuz disruptions. The repeated exploitation of the same access path highlights a critical lesson for critical infrastructure defenders: patching alone is insufficient if the original vulnerability is not fully remediated and compromised credentials are not rotated.
The security firm emphasized that this intrusion should not be viewed as an isolated compromise, but as a sustained and adaptive operation. Across multiple waves, the same access path was revisited, new payloads were introduced, and additional footholds were established, underscoring a high degree of persistence and operational discipline from the threat actor.
Source: The Hacker News — Bitdefender
