Chinese-linked attackers were involved in “multi-wave intrusions” targeting unnamed oil and gas companies in Azerbaijan from late December 2025 to late February 2026, indicating an expansion of their targeting.
Bitdefender has moderate to high confidence that this activity is the work of the hacker group known as FamousSparrow (also known as UAT-9244). This group has some tactical overlap with clusters tracked under the names Earth Estries and Salt Typhoon.
This attack paves the way for the deployment of two different backdoors across three separate waves: Deed RAT (also known as Snappybee), a successor to ShadowPad used by multiple China-aligned spy groups, and TernDoor, which was recently discovered in attacks targeting telecommunications infrastructure in South America starting in 2024.
What is notable about this campaign is that despite multiple remediation attempts: Deed RAT on December 25, 2025, TernDoor in late January/early February 2026, and a patched Deed RAT in late February 2026, it repeatedly exploited the same vulnerable Microsoft Exchange Server entry points and replaced the backdoor each time. The attacker is believed to have exploited the ProxyNotShell chain to gain initial access.
“This targeting expands the known FamousSparrow victims to a region where Azerbaijan’s role in European energy security has increased significantly following the expiration of Russia’s Ukraine Gas Transport Agreement in 2024 and the Strait of Hormuz disruption in 2026,” the Romanian cybersecurity firm said in a report shared with Hacker News.
“This intrusion demonstrates that attackers will exploit and re-exploit the same access paths until the original vulnerability is patched, the compromised credentials are rotated, and the attacker’s ability to revert is completely cut off.”
Following the initial access, Deed RAT is said to have attempted to deploy by deploying a web shell to establish a persistent foothold and ultimately using an advanced DLL sideloading technique that leverages the legitimate LogMeIn Hamachi binary to load and launch a rogue DLL responsible for executing the main payload.
“Unlike standard DLL sideloading, which relies on simple file replacement, this method overrides two specific export functions within the malicious library,” Bitdefender explained. “This creates a two-stage trigger that controls the execution of the Deed RAT loader through the host application’s natural control flow, further advancing traditional DLL sideloading defense evasion capabilities.”
This attack has also been found to perform lateral movement within a compromised network to expand access and establish redundant footholds to ensure resiliency if activity is detected and removed.
Meanwhile, the second wave occurred almost a month after the initial invasion. The attackers attempted to drop TernDoor using DLL sideloading using Mofu Loader, a shellcode loader previously attributed to GroundPeony, but were unsuccessful.
Azerbaijani companies were targeted for the third time towards the end of February 2026. At this time, the attackers again attempted to introduce a modified version of the Deed RAT. This shows active efforts to improve and evolve the malware arsenal. This artifact uses ‘sentinelonepro’ [.]com” for command and control (C2).
“This intrusion should not be viewed as an isolated breach, but rather as a sustained and adaptive operation carried out by the attackers who repeatedly seek to regain and expand access within the victim’s environment,” Bitdefender said. “Across multiple waves of activity, the same access paths were revisited, new payloads were introduced, additional footholds were established, and a high degree of persistence and operational discipline was emphasized.”
Source link
