FamousSparrow
Chinese-linked threat actors carried out a lengthy operation from December 2025 to February 2026, using a compromised Microsoft Exchange server to establish a foothold within an Azerbaijan-based oil and gas organization.
The actors executed three independent waves of compromise, going in through both their backdoor access point, as well as their original foothold.
The persistence of the compromises regardless of the company's repeated patching of their original access points indicates the high degree of skill and confidence the actors had in both their ability to maintain access and the degradation of the company’s defense posture after each unsuccessfully attempted removal of those access points.
The individuals with the Famous Sparrow group associated with these compromises have been previously associated with other Chinese-affiliated group operators such as UAT-9244, and currently share links to both Earth Estries and Salt Typhoon. According to Bitdefender, there is moderate-to-high confidence in the success of these operations against this oil/gas company.
Timing and Targeting the Victim
Azerbaijani Oil Company--A Major Global Player In Oil And Gas Industry. The Timing Of This Criminal Conduct Is Significant. After The Current Russia/Ukraine Gas Agreement Expires (2024) and The Ongoing Influence Of Global Political And Economic Resistances On The Flow Of Oil To Europe And Through The Strait Of Hormuz (2026), There Will be No Russian Oil Pipeline To Supply Oil To The EU.
Bitdefender explained that this targeting extends the known FamousSparrow victimology into a region where Azerbaijan's role in European energy security has materially increased, and the intrusion illustrates that actors will exploit and re-exploit the same access path until the original vulnerability is patched, compromised credentials are rotated, and the attacker's ability to return is fully disrupted.
The FamousSparrow attack Azerbaijan oil company shows that critical infrastructure attackers are patient and persistent, they do not give up after one remediation attempt, they keep coming back.
The Initial Access: ProxyNotShell
The FamousSparrow attack Azerbaijan oil company began with exploitation of the ProxyNotShell chain, which targets Microsoft Exchange Servers, and this is the same vulnerability set that has been used by numerous Chinese espionage groups over the past several years.
ProxyNotShell is a server-side request forgery (SSRF) and remote code execution (RCE) vulnerability chain, and it has been widely exploited since its disclosure, the FamousSparrow attack Azerbaijan oil company used this same entry point repeatedly.
The attackers exploited the vulnerable Microsoft Exchange Server, and they deployed web shells to establish a persistent foothold, then they moved to deploy their first backdoor.
Wave 1: Deed RAT (December 25, 2025)
The first wave of the FamousSparrow attack Azerbaijan oil company occurred on December 25, 2025, and the attackers deployed Deed RAT, which is also known as Snappybee and is a successor of ShadowPad.
The Deed RAT backdoor has been adopted by various espionage groups that have ties to China and allows an attacker to gain complete control over a target system that has been compromised.
A DLL side-loading technique has been used to implement the FamousSparrow attack on an Azerbaijan oil company, in which an attacker has utilized a legitimate LogMeIn Hamachi binary to load the rogue DLL that executes the main payload.
Whereas, standard DLL side-loading simply replaces files, the method used by the attackers in the FamousSparrow attack overrides two exported functions of the malicious DLL and sets up a two-stage trigger for the execution of the Deed RAT loader based on the natural execution control flow of the host application.
The evolution of this attack makes detection of the malicious DLL exploiting the host application much more difficult because the DLL hooks into the legitimate application's expected function rather than simply replacing a legitimate file.
Wave 2: TernDoor (Late January to Early February 2026)
The second wave of FamousSparrow's successful invasion of an oil company located within Azerbaijan occurred approximately one month after the initial hack; this typically takes place around late January to early February of 2026. In October 2024, by implementing Tern Door, a new backdoor, FamousSparrow added more countries into its operational region, other than just telecommunication infrastructure, to include many additional countries throughout South America.
The attackers attempted to deploy TernDoor using Mofu Loader, which is a shellcode loader previously attributed to GroundPeony, but this wave was less successful, and Bitdefender noted that the attackers attempted to employ DLL side-loading to drop TernDoor but did not fully succeed.
Despite the relative failure of the second wave, the FamousSparrow attack Azerbaijan oil company attackers did not give up, they returned again.
Wave 3: Using a Modified Deed RAT (Late February 2026)
The third wave of the FamousSparrow attack on Azerbaijani oil companies was in late February 2026, when the attackers attempted to deploy a modified version of Deed RAT (Remote Access Tool).
The " Modified Deed RAT" is an updated (modification to) version of Deed RAT that uses command and control (C2) through the use of sentinelonepro[.] com and will use the publicly available, legitimate cybersecurity company, sentinaloneg[.]com as a decoy to hide their traffic being monitored by hackers trying to gain unauthorized access to accounts by assuming authenticated users by mimicking or typo-squatting the accounts.
This third wave shows active efforts by the FamousSparrow attack Azerbaijan oil company attackers to refine and evolve their malware arsenal, they are not using the same unchanged tools, they are adapting based on what worked and what failed in previous waves.
Persistence and Lateral Movement
Throughout the FamousSparrow attack Azerbaijan oil company campaign, the attackers conducted lateral movement to broaden their access within the compromised network, and they established redundant footholds to ensure resilience in case their activity was detected and removed.
The FamousSparrow attack Azerbaijan oil company attackers were not simply trying to get in and out quickly, they were trying to establish long-term persistent access, and they wanted multiple ways back into the network.
Bitdefender explained that this intrusion should not be viewed as an isolated compromise but as a sustained and adaptive operation conducted by an actor that repeatedly sought to regain and extend access within the victim environment, across multiple waves of activity the same access path was revisited, new payloads were introduced, and additional footholds were established, underscoring a high degree of persistence and operational discipline.
The Geopolitical Context
The FamousSparrow attack Azerbaijan oil company cannot be understood without considering the geopolitical context, Azerbaijan has become increasingly important to European energy security since Russia's Ukraine gas transit agreement expired in 2024.
Also, due to complications in the Strait of Hormuz in 2026, alternate energy routes are now even more essential. Azerbaijan is bordered on the Caspian Sea and has pipelines to Europe; thus, with their oil and gas infrastructure being a strategic target, any attack against their oil company by FamousSparrow will provide insight into European energy supplies and could potentially damage the supplies before the country becomes significantly important to the European energy supply.
FamousSparrow, Earth Estries, and Salt Typhoon
Bitdefender attributed the FamousSparrow attack Azerbaijan oil company to FamousSparrow with moderate-to-high confidence, and the group shares tactical overlap with Earth Estries and Salt Typhoon.
Earth Estries is a cyber espionage group tracked by Trend Micro, and Salt Typhoon is a group tracked by Microsoft and others, both are believed to be Chinese state-sponsored, and both focus on telecommunications and critical infrastructure.
The FamousSparrow attack Azerbaijan oil company adds to the evidence that these groups are not entirely separate, they share techniques, targets, and sometimes infrastructure, and they may be part of a larger Chinese cyber espionage ecosystem.
The Failed Remediation
What makes this FamousSparrow attack on Azerbaijan oil company so troubling, is that the target of the attack attempted to remediate after every attack, but the FamousSparrow attackers were able to continue re-entering through the same Microsoft Exchange Server vulnerability.
This indicates that the target of the FamousSparrow attack, Azerbaijan oil company, had either not fully patched their ProxyNotShell vulnerability, had not rotated credential sets that were compromised; or both, enabling the attackers to exploit the former vulnerability and re-enter.
Bitdefender pointed out that to properly remediate an incident, you must both: patch the original vulnerability that allowed access to the system and rotate all credentials that were compromised, but partial remediations will not work.
The Changing DLL Side-Loading Methods
The FamousSparrow attacks on the oil and gas company in Azerbaijan used an advanced version of DLL side-loading by hooking two specific exported function names in the malicious DLL.
The traditional DLL Side-Loading method of an attacker replacing a normal DLL name with the attacker’s DLL will allow an application to load the attacker’s DLL instead of loading the legitimate DLL due to the same name of both DLLs.
The FamousSparrow attacks on the oil and gas company in Azerbaijan used a much more complex version of DLL Side-Loading techniques than replacing a normal valid DLL file with an invalid DLL file in order to execute a malicious DLL only when the legitimate application calls the particular exported function from the malicious DLL.
Because of the two different triggering mechanisms of the malicious DLL on the legitimate application, it is much more difficult for forensic investigators to find the malicious DLL on the system, as the malicious DLL will sit idle on the disk until it is triggered by the legitimate application invoking the particular exported function from the malicious DLL.
How to Protect Against Multi-Wave Attacks
The FamousSparrow attack Azerbaijan oil company shows that organizations need to prepare for sustained, multi-wave attacks.
1. Fully patch vulnerabilities. The FamousSparrow attack Azerbaijan oil company attackers returned through the same ProxyNotShell vulnerability repeatedly, if the victim had fully patched after the first wave, the subsequent waves would have failed.
2. Rotate credentials after any compromise. Even if you think you have removed the attacker, the FamousSparrow attack Azerbaijan oil company shows that compromised credentials may remain valid, rotate everything after any incident.
3. Monitor for re-infection. The FamousSparrow attack Azerbaijan oil company attackers returned within a month each time, continuous monitoring for the same indicators of compromise would have detected their return.
4. Assume persistence. The FamousSparrow attack Azerbaijan oil company attackers established redundant footholds, assume that removing one backdoor does not mean the attacker is gone, look for others.
5. Harden DLL side-loading vectors. The FamousSparrow attack Azerbaijan oil company used LogMeIn Hamachi for DLL side-loading, audit which legitimate binaries on your systems could be abused for this purpose.
Final Thoughts
The FamousSparrow attack Azerbaijan oil company is a textbook example of modern cyber espionage, it is patient, persistent, adaptive, and relentless.
The attackers returned three times over two months, they switched backdoors when one was not working, they evolved their techniques, and they established redundant footholds.
The FamousSparrow attack Azerbaijan oil company victim thought they had remediated after each wave, but the attackers kept coming back because the root vulnerability was never fully closed, and the credentials were never fully rotated.
For defenders, the lesson is clear, partial remediation is not remediation, and attackers will keep exploiting the same weakness until you completely eliminate it, the FamousSparrow attack Azerbaijan oil company shows that persistence wins when defenders are not persistent enough.
FAQ Section
Who is behind the FamousSparrow attack Azerbaijan oil company?
Bitdefender attributed the FamousSparrow attack Azerbaijan oil company to FamousSparrow (UAT-9244) with moderate-to-high confidence, the group shares tactical overlap with Earth Estries and Salt Typhoon, and all are believed to be Chinese state-sponsored espionage groups.
What backdoors were used in the FamousSparrow attack Azerbaijan oil company?
The FamousSparrow attack Azerbaijan oil company used two distinct backdoors across three waves, Deed RAT (Snappybee) which is a ShadowPad successor, and TernDoor which was previously seen attacking South American telecom infrastructure since 2024.
How did the attackers get initial access in the FamousSparrow attack Azerbaijan oil company?
The FamousSparrow attack Azerbaijan oil company exploited the ProxyNotShell vulnerability chain in Microsoft Exchange Server, this is the same entry point used repeatedly across all three waves because the victim did not fully remediate the vulnerability.
What makes the DLL side-loading technique important for this attack?
FamousSparrow utilized an advanced DLL side-loading technique to override two exported functions of the malicious library thus producing a two-step trigger that allows the payload to be executed only when called for by the legitimate host application.
Why was Azerbaijan a target for the FamousSparrow attack?
With Azerbaijan's increased material contribution to the European energy security supply chain due to the expiration of Russia's gas transit agreement for Ukraine in 2024 and the 2026 Straits of Hormuz disruption, it appears that the purpose of the FamousSparrow attack against the Azerbaijan oil company is to gather intelligence and to possibly interrupt European energy supplies.
