A hacking group associated with the Chinese state, known as FamousSparrow, has breached an Azerbaijani oil and gas company. The group exploited vulnerabilities in an unpatched Microsoft Exchange server, allowing them to install multiple backdoors within the network.
Detailed Attack Timeline
The breach spanned from December 2025 to February 2026, marking a significant intrusion into the energy infrastructure in the South Caucasus. During this time, the attackers returned to the compromised server on three occasions, each time introducing different malware families and adapting their strategies to counteract defensive measures.
This persistent effort indicates a well-planned espionage campaign rather than a mere opportunistic attack. Bitdefender researchers, who monitored the attack, attributed it to FamousSparrow, citing overlaps with the Earth Estries threat cluster.
Strategic Importance of the Breach
The timing of this attack coincides with Azerbaijan’s increased importance as a gas supplier to Europe, following disruptions from the expiration of Russia’s Ukraine transit deal and issues in the Strait of Hormuz. This has raised concerns about the security of critical energy infrastructures.
The operation involved two backdoor families, Deed RAT and Terndoor, and showcased an evolved DLL sideloading technique designed to evade automated security defenses. This sophisticated approach highlights the threat group’s advanced capabilities in targeting energy sectors.
Technical Aspects of the Intrusion
The initial breach was detected on December 25, 2025, when a web shell was written into a server directory using the ProxyNotShell exploit chain. This exploit leverages vulnerabilities CVE-2022-41040 and CVE-2022-41082, enabling remote code execution on unpatched servers.
Subsequent attacks saw the deployment of additional web shells and a three-component malware chain masquerading as the LogMeIn Hamachi VPN application. This included a loader file and a Deed RAT payload, which was decrypted using AES-128 and RC4.
Advanced Evasion Techniques
The attackers employed a novel DLL sideloading technique, splitting malicious code across two export functions, which delayed execution until specific conditions were met. This method evades detection by security tools that only analyze parts of the code.
In later waves, the attackers attempted to install a kernel driver through the Terndoor backdoor but were thwarted. They also used a modified Deed RAT to camouflage their activities under a reputable security vendor’s domain.
Recommendations for Security Teams
Organizations should promptly apply Microsoft Exchange patches and change exposed credentials. Monitoring should focus on IIS worker processes, unsigned binaries, and suspicious network activity, especially involving administrative accounts and PowerShell.
Indicators of compromise include specific filenames and hash values associated with the malicious activities. Maintaining vigilance over these indicators can help detect and mitigate similar threats in the future.
