Chinese cyber-espionage group FamousSparrow targets Azerbaijan’s strategic oil and gas sector

According to research by Bitdefender Labs, from late December 2025 to late February 2026, an unnamed Azerbaijani oil and gas company became the target of a multi-stage cyber operation. Experts link the attack to FamousSparrow, a group associated with the Chinese APT ecosystem. The level of confidence in the attribution is assessed as moderate to high, while researchers also point to overlaps with the tools and methods used by the Earth Estries group.

In recent years, Azerbaijan has significantly strengthened its role in Europe’s energy architecture, especially against the backdrop of weakened traditional supply routes and Europe’s growing interest in alternative sources of gas. In this context, the country’s oil and gas infrastructure is naturally becoming an object of increased attention not only for economic partners, but also for cyber-espionage actors.

Not a one-off attack, but a prolonged operation

One of Bitdefender’s key conclusions is that the attack was neither random nor isolated. On the contrary, the attackers returned to the same entry point several times, despite attempts to remediate the consequences of previous compromises.

According to the researchers, initial access was obtained through a vulnerable Microsoft Exchange server. The attackers used the well-known ProxyShell and ProxyNotShell vulnerability chains, which for several years have remained among the most dangerous tools for penetrating corporate networks when servers are not updated or are insufficiently isolated.

At first, the attackers attempted to place web shells on the Exchange server, allowing them to execute commands and maintain access. They then moved on to installing more sophisticated malicious tools, including Deed RAT and Terndoor — two different families of backdoors designed for covert control over infected systems.

What is particularly revealing is that the operation unfolded in three waves. In the first stage, Deed RAT was deployed. In the second, the attackers attempted to use Terndoor through the Mofu loader. In the third, they returned to Deed RAT again, but with a modified configuration and a new command-and-control server. This change in tooling suggests not improvisation, but a disciplined and adaptive operation.

Why this matters for Azerbaijan

Before this, public research had mainly linked FamousSparrow to attacks on telecommunications, government, and technology structures in the United States, the Asia-Pacific region, the Middle East, and South Africa. The mention of the South Caucasus, and specifically Azerbaijan’s energy sector, expands the known geography and sectoral focus of this group.

This makes the incident important not only for cybersecurity specialists, but also for political analysts. The South Caucasus lies at the intersection of the interests of Russia, China, Europe, Iran, and Türkiye. Azerbaijan, in turn, occupies a key position in transport and energy corridors connecting the Caspian region, the Black Sea, and Europe.

Therefore, an attack on an oil and gas company can be viewed as part of a broader picture: intelligence structures seek access to information about energy flows, infrastructure projects, corporate networks, logistics, and potential vulnerabilities. Even if the objective is not immediate sabotage, access to such systems already has strategic value.

The technical side: the evolution of stealth methods

Bitdefender separately highlights the technical complexity of the operation. The malicious code used an advanced DLL sideloading technique. In its usual form, this method involves attackers placing a malicious library next to a legitimate program, which then loads it instead of the genuine component.

In this case, however, the mechanism was more complex. The malicious library did not launch the main payload immediately. Instead, it waited until the legitimate application completed a specific sequence of internal calls. Only after that was the next stage of the infection activated. This approach helps bypass automated sandboxes and analysis systems, which often examine a file in isolation without reproducing the program’s natural execution scenario.

In other words, the malicious code was designed to appear inactive during superficial inspection, while activating in a real environment. This indicates a high level of preparation by the operators and the continued development of their toolkit.

In addition, the Deed RAT used in this operation differed from earlier versions. Researchers identified changes in magic values, compression and encryption methods, as well as in the plugin loading mechanism. This suggests that the malware developers continue to adapt it to new tasks and detection methods.

Repeated intrusion through the same path

The most alarming element of the entire story is the repeated use of the same entry point. The attackers returned to the vulnerable Exchange server several times over a two-month period. This demonstrates a simple but critically important point: removing malicious files alone does not mean the attack is over.

If the vulnerability is not patched, credentials are not rotated, and lateral movement inside the network is not fully investigated, the attackers can return. Moreover, they can use already obtained privileges to establish themselves on other servers and create backup access channels.

In this case, according to the report, the attackers used RDP, PowerShell, and Impacket-like tools to move between machines inside the network. This means that after the initial penetration, the operation entered the stage of a full-fledged internal reconnaissance presence.