FamousSparrow Repeatedly Breached Azerbaijani Oil Firm via Microsoft Exchange
A China-linked threat actor tracked as FamousSparrow and UAT-9244 repeatedly compromised an unnamed Azerbaijani oil and gas company in a multi-wave campaign that ran from late December 2025 through late February 2026. Bitdefender assessed with moderate-to-high confidence that the attackers gained initial access by exploiting a vulnerable Microsoft Exchange Server, likely through the ProxyNotShell chain, and repeatedly re-entered the environment even after remediation efforts. The targeting expands the group's known victimology into Azerbaijan, a country with growing strategic importance to European energy security.
Across three intrusion waves, the operators deployed or attempted to deploy Deed RAT (also known as Snappybee), TernDoor, and a modified version of Deed RAT, while using web shells, lateral movement, and redundant footholds to preserve access. Researchers also reported an evolved DLL side-loading technique that abused the legitimate LogMeIn Hamachi binary to help evade defenses. The operation was described as sustained and adaptive, with the attackers changing payloads and persistence methods while continuing to exploit the same Exchange entry point.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Bitdefender links campaign to FamousSparrow and expands victimology
By May 2026, Bitdefender publicly attributed the multi-wave intrusion to FamousSparrow with moderate-to-high confidence, noting that the campaign expanded the group's known targeting into Azerbaijan's strategically important energy sector.
Intrusion progresses through three payload waves
Across three distinct waves ending in late February 2026, the operators deployed or attempted to deploy Deed RAT, then TernDoor, and later a modified Deed RAT, while using web shells, lateral movement, redundant footholds, and an evolved DLL side-loading technique involving LogMeIn Hamachi.
Attackers return in multiple waves despite remediation attempts
Between late December 2025 and late February 2026, the attackers repeatedly re-entered the victim environment through the same Exchange entry point even after remediation efforts, showing sustained and adaptive access operations.
FamousSparrow begins intrusion into Azerbaijani oil and gas company
In late December 2025, a China-linked threat actor tracked as FamousSparrow/UAT-9244 gained initial access to an unnamed Azerbaijani oil and gas company by exploiting a vulnerable Microsoft Exchange Server, likely via the ProxyNotShell chain.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Chinese APT Hackers Exploit Microsoft Exchange to Breach Energy Sector Network
cybersecuritynews.com
Open sourceChina-linked hackers target Azerbaijani oil firm in multi-wave attack | brief | SC Media
scworld.com
Open sourceAzerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation
thehackernews.com
Open sourceFamousSparrow APT Targets Azerbaijani Oil and Gas Industry
businessinsights.bitdefender.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Pro-Ukrainian Hacktivists Expand Exchange Intrusions Into CIS and Middle East
Kaspersky reported that several interconnected pro-Ukrainian hacktivist groups, including **4BID**, **Hacker kiт**, **C.A.S**, and **Goffee**, expanded attacks beyond Russia and Belarus to targets in **Kazakhstan, the UAE, Syria, and Egypt**. Victims included government entities, healthcare organizations, and the aviation sector. Researchers said the intrusions commonly began with exploitation of Microsoft Exchange **ProxyShell** vulnerabilities, followed by deployment of the `fd.aspx` ASP.NET web shell, execution of PowerShell or `cmd.exe`, reconnaissance, and installation of remote-management tools such as AnyDesk, Dev Tunnels, Panorama9, Tactical RMM, and Nezha Monitoring. The campaigns used a broad post-compromise toolkit that mixed public C2 frameworks and custom malware, including **Sliver**, **Havoc**, **Mythic Apollo**, **AdaptixC2**, **BlackSalt** backdoor, **Warp RAT**, **BlackReaperRAT**, **ClearWater** ransomware, and an updated **Blackout Locker**. Investigators also observed BYOVD-based EDR killers, including modified EDRKiller variants and GhostDriver, along with signs that some delivery scripts may have been AI-generated. ClearWater was seen encrypting files with **ChaCha20** and **RSA-2048**, dropping ransom notes, changing wallpapers, and deleting recovery artifacts, while Blackout Locker added a persistent screen-locking feature, reinforcing researchers' assessment that the actors are shifting from politically branded hacktivism toward financially motivated operations.
Jun 11, 2026
Chinese Espionage Campaign Breached Middle East Telcos via Exchange Servers
Chinese state-linked attackers infiltrated telecommunications providers in the Middle East after compromising internet-facing Microsoft Exchange servers, according to SentinelLABS and QGroup. The intrusions, first observed in early 2023, used webshell-based command execution to establish access and then expanded into reconnaissance, credential theft, lateral movement, and staging for data exfiltration. Researchers assessed the activity as highly likely tied to a Chinese cyberespionage actor associated with **Operation Soft Cell**, with **Gallium** judged a likely participant and possible links to **APT41** or shared tooling among Chinese state-sponsored groups. A key element of the campaign was **`mim221`**, a custom credential-theft framework derived from **Mimikatz** and built to steal credentials from **LSASS** while reducing detection opportunities. SentinelLABS said the malware chain used reflective loading, abuse of LSASS security packages, and selective termination of Windows Event Log service threads to limit forensic visibility, underscoring continued Chinese intelligence interest in regional telecom networks and a broader shift toward stealthier post-compromise tooling.
Apr 11, 2025
China-Aligned Shadow-Earth-053 Breached Exchange Servers for Long-Term Espionage
Trend Micro disclosed that the China-aligned cluster **SHADOW-EARTH-053** compromised more than a dozen organizations in at least eight countries by exploiting vulnerable Microsoft Exchange and IIS servers, including the `ProxyLogon` chain, then deploying **GODZILLA** web shells and the **ShadowPad** backdoor to maintain access. Victims included government agencies, defense contractors, technology firms, transportation organizations, and at least one target in Poland, with activity observed from December 2024 through April 2026. Researchers said the intrusions resemble broader Chinese state-linked operations such as Salt Typhoon and Volt Typhoon and may support long-term espionage, prepositioning, and potential future disruption. Post-compromise activity included DLL sideloading with a renamed Toshiba Bluetooth Stack executable, registry-resident shellcode execution via `EnumDesktopsA` callback injection, scheduled-task persistence, mailbox collection from Exchange, credential theft, and lateral movement using tools such as **IOX**, **GOST**, **Wstunnel**, **Sharp-SMBExec**, **Mimikatz**, and **Evil-CreateDump**. Trend Micro also identified overlap with a related cluster, **SHADOW-EARTH-054**, including shared tool hashes, reused vulnerabilities, and compromises at some of the same organizations, although the company assessed the relationship as overlapping exploitation rather than clearly coordinated operations. Defenders were urged to patch Exchange and IIS systems quickly and review IIS worker process activity, web-shell indicators, and other signs of stealthy post-exploitation.
May 15, 2026