Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation

A threat actor, identified as FamousSparrow, has been implicated in a series of cyber intrusions targeting an Azerbaijani oil and gas company. This campaign, which spanned from late December 2025 to late February 2026, marks an expansion of the group's targeting efforts. Bitdefender, a cybersecurity firm, has attributed these attacks to FamousSparrow with moderate-to-high confidence, noting its tactical similarities with other groups like Earth Estries and Salt Typhoon. The attack unfolded in multiple waves, deploying two distinct backdoors: Deed RAT, a successor of ShadowPad, and TernDoor. These backdoors were introduced across three separate waves, with Deed RAT first deployed on December 25, 2025, followed by TernDoor in late January or early February 2026, and a modified Deed RAT in late February 2026. The attackers exploited a vulnerability in Microsoft Exchange Server, specifically the ProxyNotShell chain, to gain initial access. This intrusion is significant as it extends FamousSparrow's activities into Azerbaijan, a region of growing importance in European energy security. The increased focus on Azerbaijan follows geopolitical shifts, such as the expiration of Russia's Ukraine gas transit agreement in 2024 and disruptions in the Strait of Hormuz in 2026. The campaign highlights the persistent exploitation of vulnerabilities until they are fully patched and the attacker's access is disrupted. Following initial access, the attackers attempted to establish a persistent presence by deploying web shells and using an evolved DLL side-loading technique. This method involved using the legitimate LogMeIn Hamachi binary to load a rogue DLL, which executed the main payload. Bitdefender noted that this approach enhances traditional DLL side-loading by creating a two-stage trigger that integrates with the host application's control flow, improving defense evasion. The attackers also engaged in lateral movement within the compromised network to broaden their access and establish redundant footholds. This strategy ensures resilience against detection and removal efforts. The second wave of attacks, occurring nearly a month after the initial intrusion, involved an unsuccessful attempt to deploy TernDoor using the Mofu Loader, a shellcode loader linked to GroundPeony. In late February 2026, the threat actors targeted the Azerbaijani firm a third time, deploying a modified version of Deed RAT. This iteration used "sentinelonepro [.]com" for command-and-control communications, indicating ongoing efforts to refine and evolve their malware arsenal. The repeated attempts to regain access underscore the attackers' persistence and operational discipline. Bitdefender emphasized that this intrusion should be viewed as a sustained and adaptive operation rather than an isolated incident. The attackers consistently revisited the same access path, introduced new payloads, and established additional footholds. This behavior reflects a high degree of persistence and a strategic approach to maintaining access within the victim's environment.