Bitdefender links a China‑affiliated group, FamousSparrow, to a multi‑wave intrusion of an Azerbaijani oil and gas company. The attackers leveraged the ProxyNotShell chain to abuse an unpatched Microsoft Exchange Server, swapping sophisticated backdoors – Deed RAT and TernDoor – across three waves between December 2025 and February 2026.
A persistent Exchange foothold in Azerbaijan’s energy sector
A Bitdefender investigation has tied a series of attacks on an unnamed Azerbaijani oil and gas firm to the China‑linked espionage group FamousSparrow (also known as UAT‑9244). The campaign unfolded in three distinct waves from late December 2025 through late February 2026, each time re‑using the same vulnerable Microsoft Exchange Server entry point despite remediation attempts.
Why the Exchange server mattered
The attackers exploited the ProxyNotShell chain – a set of vulnerabilities that allow unauthenticated attackers to execute code on an Exchange backend. Once they gained a foothold, they dropped web shells to maintain persistence and then introduced two separate backdoors:
| Wave | Backdoor | Deployment technique |
|---|---|---|
| 1 – Dec 25 2025 | Deed RAT (aka Snappybee) | DLL side‑loading that hijacks the legitimate LogMeIn Hamachi binary. |
| 2 – Jan/Feb 2026 | TernDoor | Attempted DLL side‑loading via the Mofu Loader shellcode (previously linked to GroundPeony). |
| 3 – Late Feb 2026 | Modified Deed RAT | Same Hamachi‑based side‑loading, but with a new command‑and‑control domain sentinelonepro.com. |
Expert insight
“The intrusion shows that threat actors will keep coming back to an exposed Exchange server until the vulnerability is truly patched, credentials are rotated, and the attacker’s persistence mechanisms are eradicated,” said Mihai Popescu, senior threat analyst at Bitdefender.
Popescu added that the group’s tactical overlap with other tracked clusters – Earth Estries and Salt Typhoon – suggests a shared toolbox rather than a single monolithic team.
Technical deep‑dive: evolved DLL side‑loading
Traditional DLL side‑loading works by placing a malicious DLL in the same directory as a trusted executable, causing the loader to pick the attacker’s file first. FamousSparrow’s variant goes a step further:
- Target binary – the legitimate LogMeIn Hamachi client, already trusted on many corporate networks.
- Export hijacking – the malicious DLL overrides two specific exported functions instead of the usual
DllMain. This forces the host application to execute the malicious code only when those functions are called during normal operation, making detection by static analysis tools much harder. - Two‑stage trigger – the first overridden function loads a small bootstrap DLL, which then loads the final payload (Deed RAT). The staged approach evades many behavior‑based sensors that look for a single, obvious payload drop.
The same technique was attempted with the Mofu Loader for TernDoor, but the loader failed to execute cleanly, likely due to mismatched library versions on the victim host.
Lateral movement and redundancy
After establishing the initial backdoor, the actors performed classic Active Directory enumeration, SMB credential dumping, and remote PowerShell execution to move laterally. They planted additional web shells on high‑value servers, ensuring that even if one foothold was removed, another could be used to re‑establish control.
What this means for the energy sector
Azerbaijan’s role in European energy supply has grown since the 2024 expiration of Russia’s Ukraine gas transit agreement and the 2026 Strait of Hormuz disruptions. A breach in a national energy firm therefore carries geopolitical weight, potentially exposing sensitive production data, pipeline schematics, and operational technology (OT) configurations.
Practical steps for defenders
- Patch Exchange immediately – apply the latest cumulative updates and verify that ProxyNotShell (CVE‑2025‑XXXX) is fully mitigated.
- Rotate service accounts – any credentials used by Exchange‑related services should be changed and stored in a privileged‑access‑management (PAM) solution.
- Audit for side‑loading artifacts – scan for unexpected DLLs in the same directory as trusted binaries such as
Hamachi.exe. Tools like Microsoft Defender for Identity and Sysinternals Process Explorer can highlight anomalous DLL loads. - Monitor C2 domains – block or closely monitor traffic to
sentinelonepro.comand any newly observed domains linked to Deed RAT/TernDoor. - Deploy web‑shell detection – enable file‑integrity monitoring on Exchange and web‑application servers; look for common web‑shell signatures (
.aspx,.php,.jspwith obfuscated code). - Network segmentation – isolate Exchange servers from critical OT networks and enforce strict firewall rules for lateral movement vectors (SMB, RDP, PowerShell Remoting).
Looking ahead
Bitdefender warns that FamousSparrow is likely to continue refining its side‑loading methods and may target other high‑value sectors in the region. Organizations should treat Exchange servers as high‑risk assets and adopt a “patch‑first, monitor‑always” posture.
*For a deeper technical breakdown of the Deed RAT side‑loading method, see the Bitdefender research paper. The official Microsoft guidance on mitigating ProxyNotShell can be found on the Microsoft Docs site.*
Comments
Please log in or register to join the discussion