China-linked hackers re-enter Azerbaijani energy firm
China-linked hackers repeatedly breached an Azerbaijani oil and gas firm from Dec. 25, 2025 to Feb. 2026 by exploiting a ProxyNotShell Microsoft Exchange flaw and deploying Deed RAT and TernDoor.
Romanian cybersecurity firm Bitdefender reported a multi-wave intrusion against an Azerbaijani oil and gas company that began Dec. 25, 2025 and continued into late February 2026. The attackers exploited a ProxyNotShell chain in Microsoft Exchange and installed backdoors across three separate waves.
Bitdefender attributed the activity with moderate-to-high confidence to the group tracked as FamousSparrow, also known as UAT-9244, with tactical overlap with clusters labeled Earth Estries and Salt Typhoon. The first wave on Dec. 25 deployed Deed RAT (also called Snappybee). The second wave in late January and early February involved an attempted TernDoor deployment that failed. The actor returned in late February with a modified Deed RAT that used the domain “sentinelonepro[.]com” for command-and-control.
Initial access was gained by exploiting a vulnerable Microsoft Exchange Server using the ProxyNotShell chain. After gaining access, the intruders installed web shells to maintain connectivity, moved laterally within the network to expand access, and created redundant footholds to preserve entry if parts of their presence were removed.
Analysts observed an evolved DLL side-loading technique to run Deed RAT. The legitimate LogMeIn Hamachi binary was used to load a malicious DLL that overrides two exported functions, creating a two-stage trigger that launches the RAT through the host application’s normal control flow. During the second wave the actor attempted to use Mofu Loader, a shellcode loader previously linked to GroundPeony, to drop TernDoor.
Bitdefender reported that the attackers repeatedly returned to the same Exchange entry point despite multiple remediation attempts. The campaign rotated payloads across waves and established multiple footholds to enable returns after partial cleanup.
Bitdefender wrote:
This targeting extends the known FamousSparrow victimology into a region where Azerbaijan’s role in European energy security has materially increased.
The report added: “This intrusion should not be viewed as an isolated compromise, but as a sustained and adaptive operation conducted by an actor that repeatedly sought to regain and extend access within the victim environment.:
Deed RAT has been observed in operations linked to multiple China-nexus espionage groups. TernDoor was first identified in attacks on telecommunications infrastructure in South America beginning in 2024. Security firms noted that repeatedly exploiting a single unpatched entry point and rotating backdoors increases the risk when vulnerabilities remain unpatched and credentials are not rotated.
