Attack Overview
A Chinese state linked hacking group, known as FamousSparrow, has conducted a sustained espionage campaign against an Azerbaijani oil and gas company. The attackers exploited an unpatched Microsoft Exchange server to gain initial access, using the ProxyNotShell exploit chain to achieve unauthenticated remote code execution. The intrusion took place over several months, from late December 2025 through late February 2026.
Tactics and Malware
During the campaign, the attackers returned to the compromised server three separate times, each time deploying different malware families and adjusting their methods in response to defensive actions. They installed multiple web shells to maintain access and then deployed two distinct backdoor families: Deed RAT and Terndoor. The operation also featured an evolved DLL sideloading technique designed to evade automated security analysis, marking a higher level of sophistication than seen in previous campaigns tied to these malware tools.
Strategic Context
The choice of target is significant, as Azerbaijan has become a critical gas supplier for Europe following the expiration of Russia’s Ukraine transit deal in 2024 and ongoing disruptions in the Strait of Hormuz. Researchers at Bitdefender tracked the three waves of activity and attributed the intrusion to FamousSparrow with moderate to high confidence, noting substantial overlap with the Earth Estries threat cluster. This campaign underscores the persistent risk facing energy infrastructure from advanced persistent threat groups.
Source: Cyber Security News
