Full Report
A threat actor with affiliations to China has been linked to a "multi-wave intrusion" targeting an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026, marking an expansion of its targeting. The activity has been attributed by Bitdefender with moderate-to-high confidence to a hacking group known as FamousSparrow (aka UAT-9244), which shares some level of
Analysis Summary
# Incident Report: Multi-Wave Intrusion of Azerbaijani Energy Firm
## Executive Summary
A China-affiliated threat actor, identified as FamousSparrow (UAT-9244), conducted a persistent "multi-wave" cyber espionage campaign against a significant Azerbaijani oil and gas firm between December 2025 and February 2026. The attackers repeatedly exploited unpatched Microsoft Exchange Servers to deploy advanced backdoors, including Deed RAT and TernDoor, aimed at maintaining long-term access to critical energy infrastructure. Despite multiple remediation attempts by the victim, the attackers successfully regained access multiple times by exploiting the same entry points and rotated credentials.
## Incident Details
- **Discovery Date:** Late December 2025 (Initial wave identified)
- **Incident Date:** December 25, 2025 – Late February 2026
- **Affected Organization:** Unnamed Azerbaijani oil and gas company
- **Sector:** Energy (Oil & Gas)
- **Geography:** Azerbaijan
## Timeline of Events
### Initial Access
- **Date/Time:** December 25, 2025
- **Vector:** Exploitation of Microsoft Exchange Server
- **Details:** Attackers utilized the "ProxyNotShell" vulnerability chain to gain entry and deploy web shells for persistence.
### Lateral Movement
- **Details:** Following initial access, the actors moved laterally to broaden network access and establish redundant footholds to ensure resilience against detection.
### Data Exfiltration/Impact
- **Details:** While specific data volumes were not disclosed, the deployment of Deed RAT and TernDoor (espionage-focused backdoors) suggests the objective was long-term intelligence gathering regarding Azerbaijan’s energy role in Europe.
### Detection & Response
- **How it was discovered:** Analysis by Bitdefender identified the "multi-wave" nature of the attack across three distinct phases.
- **Response actions taken:** The organization attempted remediation; however, failure to fully patch the vulnerabilities or rotate compromised credentials allowed the attacker to return in late January and late February 2026.
## Attack Methodology
- **Initial Access:** Exploitation of ProxyNotShell (Microsoft Exchange).
- **Persistence:** Web shells and redundant backdoors (Deed RAT, TernDoor).
- **Defense Evasion:** Advanced DLL side-loading using legitimate LogMeIn Hamachi binaries; overriding exported functions to create a "two-stage trigger."
- **Lateral Movement:** Internal network scanning and movement to establish secondary footholds.
- **Collection:** Deployment of Deed RAT (successor to ShadowPad) for data gathering.
- **Exfiltration:** Command and Control (C2) communication via masqueraded domains.
- **Impact:** Long-term espionage and persistent unauthorized access to critical infrastructure.
## Impact Assessment
- **Financial:** Not disclosed; costs associated with three separate incident response cycles.
- **Data Breach:** Compromise of internal communications and potentially sensitive energy transit data.
- **Operational:** Repeated compromise of core mail infrastructure.
- **Reputational:** Risks associated with the security of Azerbaijan's energy supply to Europe.
## Indicators of Compromise
- **Network indicators:** sentinelonepro[.]com (C2 Domain)
- **File indicators:** Legitimate LogMeIn Hamachi binaries used for side-loading; Deed RAT (aka Snappybee); TernDoor; Mofu Loader (shellcode loader).
- **Behavioral indicators:** Repeated web shell deployment on Exchange Servers; unusual DLL loading sequences in standard applications.
## Response Actions
- **Containment:** Attempts to block malicious IPs and remove web shells.
- **Eradication:** Multiple attempts to remove backdoors (Deed RAT/TernDoor).
- **Recovery:** Restoration of mail services, though initial recovery was incomplete as the entry vector remained open.
## Lessons Learned
- **Patch Management:** Exploiting the same vulnerability (ProxyNotShell) months after its public disclosure highlights critical failures in the patch management lifecycle.
- **Incomplete Remediation:** Removing malware without closing the entry vector or rotating credentials is insufficient to stop persistent APTs.
- **Evolving Tactics:** The use of "two-stage" DLL side-loading shows that attackers are refining traditional techniques to bypass modern EDR solutions.
## Recommendations
- **Emergency Patching:** Prioritize patching of all internet-facing Microsoft Exchange Servers.
- **Credential Hygiene:** Implement a full global password reset and rotate all service account credentials following a confirmed breach.
- **Enhanced Monitoring:** Implement Behavioral Analysis to detect DLL side-loading, specifically monitoring for "ghost" exports or modified function calls in legitimate binaries.
- **Zero Trust:** Segment the Exchange environment from the rest of the corporate and industrial network to prevent lateral movement.