Chinese-Linked Hacking Group Targets Azerbaijani Oil & Gas Firm in Multi-Wave Cyber Espionage Campaign
A cyber espionage campaign attributed to the China-affiliated threat group FamousSparrow (also tracked as UAT-9244) targeted an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026, marking an expansion of the group’s operational focus. The intrusion, analyzed by Bitdefender, involved three distinct waves of attacks, each deploying different backdoors while exploiting the same unpatched Microsoft Exchange Server vulnerability via the ProxyNotShell exploit chain.
The campaign leveraged two primary malware families: Deed RAT (a successor to ShadowPad, widely used by Chinese espionage groups) and TernDoor, a backdoor previously observed in attacks on South American telecommunications infrastructure since 2024. Despite the victim’s remediation attempts, the threat actors repeatedly re-exploited the same entry point, deploying Deed RAT on December 25, 2025, TernDoor in late January/early February 2026, and a modified Deed RAT variant in late February 2026.
Initial access was followed by the deployment of web shells for persistence, with Deed RAT delivered via an evolved DLL side-loading technique using the legitimate LogMeIn Hamachi binary. Unlike traditional side-loading, this method manipulated two exported functions in the malicious DLL, creating a two-stage execution trigger to evade detection. The attackers also conducted lateral movement to expand access and establish redundant footholds within the network.
The second wave, occurring nearly a month after the initial breach, saw an unsuccessful attempt to deploy TernDoor using Mofu Loader, a shellcode loader linked to the GroundPeony threat cluster. The third wave, in late February 2026, reintroduced a modified Deed RAT variant, which used the domain sentinelonepro[.]com for command-and-control (C2) communications.
Bitdefender’s analysis highlights the campaign’s adaptive persistence, with the threat actors refining their malware arsenal and re-exploiting the same vulnerability despite mitigation efforts. The targeting of Azerbaijan whose role in European energy security has grown following the 2024 expiration of Russia’s Ukraine gas transit agreement and 2026 Strait of Hormuz disruptions suggests strategic espionage motives tied to regional energy dynamics. The intrusion underscores how threat actors will repeatedly exploit unpatched systems until access is fully disrupted.
Source: https://thehackernews.com/2026/05/azerbaijani-energy-firm-hit-by-repeated.html
Microsoft Threat Intelligence cybersecurity rating report: https://www.rankiteo.com/company/microsoft-threat-intelligence
"id": "MIC1778682934",
"linkid": "microsoft-threat-intelligence",
"type": "Vulnerability",
"date": "12/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Oil & Gas',
'location': 'Azerbaijan',
'name': 'Unnamed Azerbaijani oil and gas company',
'type': 'Corporation'}],
'attack_vector': 'Exploitation of unpatched Microsoft Exchange Server '
'vulnerability (ProxyNotShell)',
'data_breach': {'data_exfiltration': 'Potential (not confirmed)'},
'date_detected': '2025-12-25',
'description': 'A cyber espionage campaign attributed to the China-affiliated '
'threat group FamousSparrow (also tracked as UAT-9244) '
'targeted an unnamed Azerbaijani oil and gas company between '
'late December 2025 and late February 2026. The intrusion '
'involved three distinct waves of attacks, exploiting an '
'unpatched Microsoft Exchange Server vulnerability via the '
'ProxyNotShell exploit chain. The campaign leveraged malware '
'families Deed RAT and TernDoor, with repeated re-exploitation '
'of the same entry point despite remediation attempts.',
'impact': {'operational_impact': 'Lateral movement, persistent access, '
'potential data exfiltration',
'systems_affected': 'Microsoft Exchange Server, internal network '
'systems'},
'initial_access_broker': {'backdoors_established': 'Web shells, Deed RAT, '
'TernDoor',
'entry_point': 'Microsoft Exchange Server '
'(ProxyNotShell)'},
'investigation_status': 'Analyzed',
'lessons_learned': 'Threat actors will repeatedly exploit unpatched systems '
'until access is fully disrupted. Adaptive persistence and '
'refined malware arsenals require continuous monitoring '
'and patch management.',
'motivation': 'Strategic espionage tied to regional energy dynamics',
'post_incident_analysis': {'corrective_actions': 'Full patching of '
'vulnerabilities, network '
'segmentation, enhanced '
'monitoring',
'root_causes': 'Unpatched Microsoft Exchange '
'Server vulnerability, adaptive '
'persistence by threat actors'},
'recommendations': 'Immediate patching of Microsoft Exchange Server '
'vulnerabilities, enhanced monitoring for lateral '
'movement, and deployment of advanced threat detection '
'mechanisms.',
'references': [{'source': 'Bitdefender'}],
'response': {'remediation_measures': 'Attempted patching and mitigation',
'third_party_assistance': 'Bitdefender'},
'threat_actor': 'FamousSparrow (UAT-9244)',
'title': 'Chinese-Linked Hacking Group Targets Azerbaijani Oil & Gas Firm in '
'Multi-Wave Cyber Espionage Campaign',
'type': 'Cyber Espionage',
'vulnerability_exploited': 'ProxyNotShell (Microsoft Exchange Server '
'vulnerability)'}