According to Bitdefender researchers, the Chinese cyber-espionage group FamousSparrow carried out a multi-stage operation against an unnamed Azerbaijani oil and gas company from late December 2025 to late February 2026. The attackers infiltrated the victim’s infrastructure three times via the same vulnerable Microsoft Exchange server, each time deploying new variants of malware — the Deed RAT and TernDoor backdoors. The campaign highlights a critical issue: incomplete incident remediation allows an adversary to repeatedly return through the same entry point. Energy-sector organizations using Exchange must immediately verify their patch status and rotate compromised credentials.

Timeline and technical anatomy of the attack

As reported in the Bitdefender report, the campaign consisted of three distinct waves, each exploiting the same entry point — a vulnerable Microsoft Exchange server. The initial access was likely obtained via the ProxyNotShell exploit chain.

First wave — December 25, 2025

After gaining access, the attackers deployed web shells to maintain persistence in the infrastructure, and then delivered Deed RAT (also known as Snappybee) — a backdoor that is a successor to ShadowPad and is used by several China-linked groups. An enhanced DLL hijacking technique was used to load Deed RAT, leveraging the legitimate LogMeIn Hamachi executable.

A key technical detail: unlike standard DLL hijacking, where the malicious library simply replaces the legitimate one, in this case the attackers overrode two specific exported functions within the malicious library. This created a two-stage trigger in which the Deed RAT loader was activated through the normal control flow of the host application, significantly complicating detection by security tools.

At this stage, lateral movement across the network was also observed, aimed at expanding access and creating fallback footholds.

Second wave — late January to early February 2026

Roughly a month later, the attackers returned via the same Exchange server and attempted to deploy the TernDoor backdoor — malware previously observed in attacks against South American telecommunications infrastructure since 2024. The Mofu Loader and a DLL hijacking technique were used for delivery. According to the researchers, this attempt was unsuccessful.

Third wave — late February 2026

In the third wave, the attackers again turned to Deed RAT, but in a modified version. This artifact used the sentinelonepro[.]com domain to communicate with the command-and-control server — a characteristic technique of disguising C2 infrastructure as the legitimate SentinelOne security product.

Geopolitical context and motivation

The choice of target is not accidental. As Bitdefender analysts note, Azerbaijan’s role in ensuring Europe’s energy security increased significantly after the expiration in 2024 of the Russia–Ukraine gas transit agreement and the disruption of shipping in the Strait of Hormuz in 2026. An attack on the oil and gas sector of a country that has become an alternative energy supplier for the EU fits within the logic of strategic intelligence gathering.

The campaign extends FamousSparrow’s known victimology to a new region. Previously, this group, also tracked as UAT-9244, had been observed targeting the hospitality sector, government organizations, and international bodies. It should be borne in mind that this attribution is based on a single vendor’s assessment and has not been confirmed by independent sources.

Impact assessment

The campaign primarily threatens:

• The energy sector of Azerbaijan and Caspian-region countries involved in supplying hydrocarbons to Europe
• Organizations with unpatched Exchange servers, particularly those exposed to ProxyNotShell exploitation
• Telecommunications companies — given that TernDoor has previously been used against this sector

The attackers’ threefold return through a single entry point indicates a systemic problem: incident response that does not fully eliminate the root cause creates an illusion of security. Each wave brought new tools and additional footholds, complicating complete environment cleanup.

Defense recommendations

1. Patching Microsoft Exchange: ensure that all security updates closing the ProxyNotShell vulnerabilities (CVE-2022-41040, CVE-2022-41082) and later issues are installed. Verify that no unsupported legacy version of Exchange is in use
2. Credential rotation: after detecting an Exchange compromise, reset all related accounts, including service accounts, not just user accounts
3. Web shell hunting: audit Exchange directories for suspicious ASPX files that appeared after the presumed compromise period
4. Monitoring DLL hijacking: track the loading of atypical DLLs by LogMeIn Hamachi processes and other legitimate applications. Pay attention to overridden exported functions
5. IOC blocking: add the sentinelonepro[.]com domain to DNS and proxy blacklists
6. Comprehensive post-incident review: when signs of compromise are detected, do not stop at removing malware — check for fallback persistence points, lateral movement, and additional backdoors

This campaign clearly demonstrates that incomplete incident response is worse than none: it creates a false sense of security while the adversary continues operations. Energy-sector organizations with Microsoft Exchange servers on the perimeter should urgently verify that patches are up to date, search for indicators of compromise, and ensure that their response procedures include full credential rotation and the removal of all persistence mechanisms, not just the initial intrusion vector.