A China-linked threat actor targeted an unnamed Azerbaijani oil and gas company in a multi-wave intrusion between late December 2025 and late February 2026, repeatedly abusing the same Microsoft Exchange Server entry point and deploying different backdoors, according to a technical analysis by Bitdefender.
KEY FACTS
- Target An Azerbaijani oil and gas company was hit in three waves.
- Access method The attacks reused the same Exchange Server weakness, likely through the ProxyNotShell chain.
- Payloads The operators deployed Deed RAT and TernDoor, then returned with a modified Deed RAT.
- Techniques The activity included web shells, DLL side-loading and lateral movement.
Bitdefender attributed the activity with moderate-to-high confidence to FamousSparrow, a group with some tactical overlap with clusters tracked as Earth Estries and Salt Typhoon. The report said the campaign marks an expansion of the group’s targeting into a region where Azerbaijan’s energy role has grown.
The first wave began on Dec. 25, 2025, when Deed RAT was deployed. A second wave in late January or early February 2026 tried to drop TernDoor using Mofu Loader, though that attempt failed. A third wave in late February used a modified version of Deed RAT that connected to sentinelonepro[.]com for command and control.
The attackers also tried to build persistence by placing web shells and using an evolved DLL side-loading method that relied on a legitimate LogMeIn Hamachi binary to load a rogue library. The report said the malware used overridden exported functions to trigger execution through the host application’s normal flow.
Bitdefender said the intruders moved laterally inside the network and established redundant footholds so the operation could survive detection or removal. The firm did not identify the victim by name and did not say whether data was stolen or systems were disrupted.
WHY IT MATTERS
The case shows how a single exposed server can be reused across multiple break-ins if the original flaw is not fully closed and credentials are not rotated. It also highlights how attackers can swap malware and persistence methods to keep access alive in sensitive energy networks.