[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6Rk4fhupNAtViePUwUg3BPdv6pek-vIYGK1RsYPmUeY":3},{"article":4,"iocs":54},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"7be027e0-1f2a-4d83-ad13-7818ef696f5c","Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation","azerbaijani-energy-firm-hit-by-repeated-microsoft-exchange-exploitation-13f739","A threat actor with affiliations to China has been linked to a \"multi-wave intrusion\" targeting an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026, marking an expansion of its targeting. The activity has been attributed by Bitdefender with moderate-to-high confidence to a hacking group known as FamousSparrow (aka UAT-9244), which shares some level of","A China-affiliated hacking group called FamousSparrow conducted a multi-wave intrusion against an unnamed Azerbaijani energy company between late December 2025 and February 2026, repeatedly exploiting the same Microsoft Exchange Server vulnerability despite remediation attempts. The campaign deployed two distinct backdoors—Deed RAT and TernDoor—across three separate intrusions, using advanced DLL side-loading techniques and web shells for persistence. The targeting reflects FamousSparrow's expansion into a region of strategic importance to European energy security following Russia's exit from gas transit and regional disruptions.","Chinese-linked FamousSparrow exploited Microsoft Exchange repeatedly at Azerbaijani oil\u002Fgas firm from Dec 2025–Feb 2026.","Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation Ravie LakshmananMay 13, 2026Cyber Espionage \u002F Malware A threat actor with affiliations to China has been linked to a \"multi-wave intrusion\" targeting an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026, marking an expansion of its targeting. The activity has been attributed by Bitdefender with moderate-to-high confidence to a hacking group known as FamousSparrow (aka UAT-9244), which shares some level of tactical overlap with clusters tracked under the monikers Earth Estries and Salt Typhoon. The attack paves the way for the deployment of two distinct backdoors across three separate waves: Deed RAT (aka Snappybee), a successor of ShadowPad that's used by multiple China-nexus espionage groups, and TernDoor, which was recently discovered in attacks targeting telecommunications infrastructure in South America since 2024. What's notable about the campaign is that it repeatedly leveraged the same vulnerable Microsoft Exchange Server entry point despite several remediation attempts, swapping backdoors each time: Deed RAT on December 25, 2025, TernDoor in late January\u002Fearly February 2026, and a modified Deed RAT in late February 2026. The attackers are assessed to have exploited the ProxyNotShell chain to obtain initial access. \"This targeting extends the known FamousSparrow victimology into a region where Azerbaijan's role in European energy security has materially increased following the 2024 expiration of Russia's Ukraine gas transit agreement and 2026 Strait of Hormuz disruptions,\" the Romanian cybersecurity company said in a report shared with The Hacker News. \"The intrusion illustrates that actors will exploit and re-exploit the same access path until the original vulnerability is patched, compromised credentials are rotated, and the attacker's ability to return is fully disrupted.\" The initial access is said to have been followed by attempts to deploy web shells to establish a persistent foothold, and ultimately deploy Deed RAT using an evolved DLL side-loading technique that leverages the legitimate LogMeIn Hamachi binary to load and launch a rogue DLL that's responsible for executing the main payload. \"Unlike standard DLL side-loading that relies on simple file replacement, this method overrides two specific exported functions within the malicious library,\" Bitdefender explained. \"This creates a two-stage trigger that gates the Deed RAT loader's execution through the host application's natural control flow, further evolving the defense evasion capabilities of traditional DLL side-loading.\" The attacks have also been found to conduct lateral movement to broaden their access within the compromised network and establish a redundant foothold to ensure resilience in the event that the activity is detected and removed. The second wave, on the other hand, took place nearly a month after the initial intrusion, with the adversary attempting to unsuccessfully employ DLL side-loading to drop TernDoor by means of Mofu Loader, a shellcode loader previously attributed to GroundPeony. The Azerbaijani firm was targeted a third time towards the end of February 2026, when the threat actors once again attempted to deploy a modified version of Deed RAT, indicating active efforts to refine and evolve its malware arsenal. This artifact uses \"sentinelonepro [.]com\" for command-and-control (C2). \"This intrusion should not be viewed as an isolated compromise, but as a sustained and adaptive operation conducted by an actor that repeatedly sought to regain and extend access within the victim environment,\" Bitdefender said. \"Across multiple waves of activity, the same access path was revisited, new payloads were introduced, and additional footholds were established, underscoring a high degree of persistence and operational discipline.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  china, cybersecurity, Espionage, FamousSparrow, Microsoft Exchange, ProxyNotShell ⚡ Top Stories This Week Ollama Out-of-Bounds Read Vulnerability Allows Remote Process Memory Leak Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence On-Prem Microsoft Exchange Server CVE-2026-42897 Exploited via Crafted Email Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ Stories Windows Zero-Days Expose BitLocker Bypasses And CTFMON Privilege Escalation New Fragnesia Linux Kernel LPE Grants Root Access via Page Cache Corruption 18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Microsoft's MDASH AI System Finds 16 Windows Flaws Fixed in Patch Tuesday [Webinar] How Modern Attack Paths Cross Code, Pipelines, and Cloud Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws New Exim BDAT Vulnerability Exposes GnuTLS Builds to Potential Code Execution Mini Shai-Hulud Worm Compromises TanStack, Mistral AI, Guardrails AI and More Packages cPanel CVE-2026-41940 Under Active Exploitation to Deploy Filemanager Backdoor ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation ⭐ Featured Resources [Webinar] Learn How to Handle Critical SOC Alerts With AI Support Identify Internal Attack Surfaces More Efficiently With a Free Assessment [eBook] Get the 3-Number SOC Diagnostic to Reduce Queue Risk [Guide] Stop Email Fraud Before It Turns Into Ransomware Damage","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fazerbaijani-energy-firm-hit-by-repeated.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEjOfGXVOYqF2EcrcnYIDCnTYdmWpV-uaZ5nV0_0ukZ8uCk19wFFOax_VvgwO8LtlIkVo8pvcSSBs8Afc66yo2PbiMDjq4UDqnytAqP-Nq8CqTOfEtqwuWRmjbUpRYzqaAXFnRiXozR34fXAPE8O6Gcix6f08Sped3oVUXcjIOTE04N8IInA0qVeG0Sc6LzB\u002Fs1600\u002Fenergy-cyberattack.jpg","2026-05-13T13:00:00+00:00","2026-05-13T14:00:05.083557+00:00",9,[18,21,23,25,27,30],{"name":19,"type":20},"FamousSparrow (UAT-9244)","threat_actor",{"name":22,"type":20},"Earth Estries",{"name":24,"type":20},"Salt Typhoon",{"name":26,"type":20},"GroundPeony",{"name":28,"type":29},"Microsoft","vendor",{"name":31,"type":32},"Microsoft Exchange Server","product","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":33,"icon":35,"name":36,"slug":37},null,"Nation-state","nation-state",[39,44,49],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"c5eccf7c-abbc-4bd3-bbed-e6da5cba8e73","Incident Response","incident-response",{"category":50},{"id":51,"icon":35,"name":52,"slug":53},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[55,59,62,65],{"type":56,"value":57,"context":58},"domain","sentinelonepro[.]com","C2 domain used by modified Deed RAT in third intrusion wave (late February 2026)",{"type":43,"value":60,"context":61},"Deed RAT","Successor to ShadowPad; deployed in December 2025 and February 2026 waves via DLL side-loading",{"type":43,"value":63,"context":64},"TernDoor","Backdoor deployed in late January\u002Fearly February 2026 wave; previously linked to South American telecom attacks",{"type":43,"value":66,"context":67},"Mofu Loader","Shellcode loader used unsuccessfully in second wave to deploy TernDoor; attributed to GroundPeony"]