A prominent cyber attack linked to Chinese hackers has been reported against an Azerbaijani oil and gas company, marking a significant breach between December 2025 and February 2026. The attack, attributed to the hacking group FamousSparrow, involved multiple waves of intrusion targeting the company’s Microsoft Exchange Server.
Details of the Cyber Attack
The Romanian cybersecurity firm Bitdefender, with moderate-to-high confidence, has identified FamousSparrow as the group responsible for the attack. This group is known for its overlap with other cyber clusters such as Earth Estries and Salt Typhoon. The attack involved the deployment of two distinct backdoors: Deed RAT and TernDoor, across three separate waves. These tools are known for their use in cyber espionage, with Deed RAT being a successor to the notorious ShadowPad malware.
Exploitation of Microsoft Exchange
The attackers repeatedly exploited a vulnerability in Microsoft Exchange Server, using the ProxyNotShell chain to gain initial access. Despite several remediation efforts, the hackers persisted, deploying Deed RAT in December 2025, switching to TernDoor in early 2026, and returning with a modified Deed RAT in late February. Bitdefender’s report highlights Azerbaijan’s increasing importance in European energy security as a potential motivation for the attack.
Advanced Techniques and Persistence
After gaining access, the attackers sought to establish a persistent presence by deploying web shells and using evolved DLL side-loading techniques. This method involved the LogMeIn Hamachi binary to execute the rogue DLL, enhancing traditional defense evasion strategies. The attackers also attempted lateral movement within the network, ensuring they maintained access even if initial breaches were detected.
In February 2026, the threat actors made another attempt, deploying a modified version of Deed RAT with connections to “sentinelonepro [.]com” for command-and-control operations. This ongoing intrusion reflects a sophisticated and determined effort to exploit vulnerabilities and maintain access.
Future Implications and Security Measures
The Azerbaijani firm’s repeated targeting underscores the persistent nature of cyber threats from nation-state actors. The attack illustrates the necessity for organizations to patch vulnerabilities promptly, rotate compromised credentials, and implement comprehensive security measures to thwart such persistent threats. As Azerbaijan plays a crucial role in regional energy security, the implications of such breaches could extend beyond the company, potentially affecting broader geopolitical dynamics.
