Microsoft and Azerbaijani oil and gas company: Chinese APT Exploits Microsoft Exchange to Breach Energy Sector Network

Microsoft and Azerbaijani oil and gas company: Chinese APT Exploits Microsoft Exchange to Breach Energy Sector Network

Chinese APT Group Targets Azerbaijani Energy Firm in Months-Long Espionage Campaign

A Chinese state-aligned advanced persistent threat (APT) group, FamousSparrow, compromised a Microsoft Exchange server at a major Azerbaijani oil and gas company in a prolonged cyber-espionage operation. The attack, detected by Bitdefender researchers, spanned from late December 2025 to late February 2026, marking the first publicly reported Chinese APT activity in the South Caucasus energy sector.

The intrusion began on December 25, 2025, when attackers exploited the ProxyNotShell vulnerability in Microsoft Exchange, deploying ASPX web shells (e.g., key.aspx, log.aspx) to establish persistence. These web shells served as command-and-control (C2) points, enabling the execution of malware payloads directly from the compromised server.

FamousSparrow, which overlaps tactically with Earth Estries and Salt Typhoon, deployed two primary backdoors:

  • Deed RAT, delivered via a DLL sideloading chain abusing the legitimate LogMeIn Hamachi service, used a two-stage trigger to evade detection. The malware employed custom XOR decryption and PRNG-based obfuscation, with plugins for configuration, networking, and process injection.
  • Terndoor, attempted in a second wave, was delivered via the Mofu loader, leveraging a kernel-mode driver (vmflt.sys) for rootkit-like persistence. Though blocked before full installation, memory forensics confirmed its presence.

Attackers maintained access by reusing the same Exchange entry point despite partial cleanup, demonstrating how unpatched vulnerabilities become durable access vectors. Lateral movement relied on RDP with stolen domain admin credentials and Impacket-based tools (atexec, smbexec), ensuring redundant footholds across the network.

The campaign aligns with China’s strategic interests, as Azerbaijan’s role in European gas supplies has grown amid Russia’s Ukraine transit disruptions and instability in the Strait of Hormuz. By targeting this energy corridor, the attackers gained visibility into European energy flows during heightened geopolitical tensions.

FamousSparrow has previously targeted telecoms, government, and tech sectors across the U.S., Asia-Pacific, Middle East, and South Africa, but this incident extends its focus to critical energy infrastructure in a new region. The group’s tactics reflect ongoing evolution, including updated Deed RAT encryption and anti-analysis techniques to evade detection.

Source: https://gbhackers.com/chinese-apt-exploits-microsoft-exchange/

State Oil Company of the Republic of Azerbaijan (SOCAR) cybersecurity rating report: https://www.rankiteo.com/company/socarofficial

Microsoft Security Response Center cybersecurity rating report: https://www.rankiteo.com/company/microsoft-security-response-center

"id": "SOCMIC1778768867",
"linkid": "socarofficial, microsoft-security-response-center",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"
{'affected_entities': [{'industry': 'Oil and Gas',
                        'location': 'Azerbaijan',
                        'name': 'Major Azerbaijani oil and gas company',
                        'type': 'Energy'}],
 'attack_vector': 'Exploitation of ProxyNotShell vulnerability in Microsoft '
                  'Exchange',
 'data_breach': {'data_exfiltration': True,
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Strategic intelligence, internal '
                                             'network data'},
 'date_detected': '2026-02-28',
 'description': 'A Chinese state-aligned advanced persistent threat (APT) '
                'group, FamousSparrow, compromised a Microsoft Exchange server '
                'at a major Azerbaijani oil and gas company in a prolonged '
                'cyber-espionage operation. The attack, detected by '
                'Bitdefender researchers, spanned from late December 2025 to '
                'late February 2026, marking the first publicly reported '
                'Chinese APT activity in the South Caucasus energy sector.',
 'impact': {'data_compromised': 'Strategic intelligence on European energy '
                                'flows, internal network data',
            'operational_impact': 'Potential disruption of internal operations '
                                  'due to lateral movement and persistence',
            'systems_affected': ['Microsoft Exchange server',
                                 'Internal network systems']},
 'initial_access_broker': {'backdoors_established': ['ASPX web shells '
                                                     '(key.aspx, log.aspx)',
                                                     'Deed RAT',
                                                     'Terndoor'],
                           'entry_point': 'Microsoft Exchange server '
                                          '(ProxyNotShell vulnerability)',
                           'high_value_targets': 'European energy flows, '
                                                 'internal network data'},
 'investigation_status': 'Ongoing',
 'motivation': 'Strategic intelligence gathering on European energy flows',
 'post_incident_analysis': {'root_causes': ['Unpatched Microsoft Exchange '
                                            'vulnerability (ProxyNotShell)',
                                            'DLL sideloading abuse (LogMeIn '
                                            'Hamachi)',
                                            'Stolen domain admin credentials']},
 'references': [{'source': 'Bitdefender researchers'}],
 'response': {'third_party_assistance': 'Bitdefender researchers'},
 'threat_actor': 'FamousSparrow (Chinese state-aligned APT group)',
 'title': 'Chinese APT Group Targets Azerbaijani Energy Firm in Months-Long '
          'Espionage Campaign',
 'type': 'Cyber Espionage',
 'vulnerability_exploited': 'ProxyNotShell (Microsoft Exchange)'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.