[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f_iXGuVk12Js5rb5dfmzMx7RNgizS1FeuCTqSVHWGIao":3},{"article":4,"iocs":53},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"62666ac4-5061-4999-9b12-a080a85c7566","FamousSparrow Targeted Oil and Gas Industry via MS Exchange Server Exploit","famoussparrow-targeted-oil-and-gas-industry-via-ms-exchange-server-exploit-1429e6","Bitdefender Labs reveals how the China-linked FamousSparrow hacking group targeted an Azerbaijani energy firm using ProxyNotShell, Deed RAT,…","Bitdefender Labs uncovered a multi-wave campaign by China-linked threat actor FamousSparrow against an Azerbaijani energy company between December 2025 and February 2026. The group exploited ProxyNotShell vulnerabilities in Microsoft Exchange servers to deploy Deed RAT and Terndoor backdoors, using techniques including DLL sideloading, rootkit installation, and process hiding to maintain persistent access and move laterally across the victim network.","FamousSparrow targeted Azerbaijani oil and gas firm via ProxyNotShell exploit across three attack waves.","Security Cyber Attacks MalwareFamousSparrow Targeted Oil and Gas Industry via MS Exchange Server ExploitbyDeeba AhmedMay 14, 20262 minute read Bitdefender Labs reveals how the China-linked FamousSparrow hacking group targeted an Azerbaijani energy firm using ProxyNotShell, Deed RAT, and Terndoor malware across three persistent waves. A new research report from Bitdefender Labs reveals a hacking campaign against an oil and gas firm in Azerbaijan, which was carried out in phases between December 2025 and February 2026. Researchers have attributed it to the China-aligned group FamousSparrow. The notable aspect of their research is the group’s sudden change in strategic interest, with the South Caucasus energy infrastructure becoming its latest target. The Attack Cycle According to research details shared by Bitdefender’s Martin Zugec, the campaign involved three distinct waves of activity, the first of which began on 25 December 2025. In this wave, the hackers used a vulnerability called ProxyNotShell to gain access to the company’s Microsoft Exchange server. To stay undetected, the group used a clever logic gate trick and managed to deliver the malware. This involved DLL sideloading, where hackers tricked a legitimate program (LMIGuardianSvc.exe) into running a malicious file (lmiguardiandll.dll). This step activated the SNAPPYBEE (aka Deed RAT) backdoor, granting the attackers remote control. Even when the firm attempted to clean its systems, the hackers exploited the same unpatched initial access vector three times in two months. This proves that removing malware is temporary if the original exploitation path remains open. Gaining Deep Access The second wave, detected in January 2026, introduced a tool called Terndoor. To bypass antivirus software, the hackers used the Mofu loader, an obfuscated stager that hid the malware’s instructions in the computer’s memory. Once activated, Terndoor installed a driver named vmflt.sys. The hackers created a new service in the Windows registry (HKLM\\SYSTEM\\ControlSet001\\Services\\vmflt) to establish a Rootkit and obtain deep, ‘god-mode’ control over the system. They then used the Impacket toolkit and Remote Desktop Protocol (RDP) to steal admin passwords. This helped them move laterally across the entire network. Attack flow explained (Source: Bitdefender) Attackers’ Evolving Tactics In late February, researchers recorded a third wave where the group deployed an updated version of Deed RAT. They shifted their files to a C:\\Recovery folder and used the address sentineloneprocom for communication. This domain was likely chosen to mimic legitimate security traffic, making the malicious data look like a routine software update. This version hid inside standard Windows processes like SearchIndexer.exe and dwm.exe, using AES-CBC and RC4 encryption to lock away its configuration. The three waves (Source: Bitdefender) “Beyond the delivery mechanism, the operation is characterized by the deployment of two distinct backdoor families, Deed RAT and Terndoor, which were utilized across three separate waves of activity. This technical variety is matched by a strategic persistence, evidenced by the attackers’ repeated return to the same vulnerable Microsoft Exchange server entry point despite multiple remediation attempts,” researchers noted in the blog post shared with Hackread.com. The key takeaway from this research is that determined hackers don’t just hit and run- they adapt and return. Bitdefender suggests that patching public-facing software like Exchange is the only way to stop this cycle, alongside consistent monitoring for API hooking, a technique where hackers intercept internal system conversations to maintain control. (Photo by Zbynek Burival on Unsplash) Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts AzerbaijanChinaCyber AttackCybersecurityFamousSparrowMalwareMicrosoftMS ExchangeOil and Gas Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Salesforce Industry Cloud Hit by 20 Vulnerabilities Including 0days AppOmni research reveals over 20 security vulnerabilities, including zero-days, in the Salesforce Industry Cloud. Learn about critical risks, customer responsibilities, and how to protect sensitive data. byDeeba Ahmed Read More Security Cyber Attacks Malware Banking Malware Uses Live Numbers to Hijack OTPs, Targeting 50,000 Victims A banking malware campaign using live phone numbers to redirect SMS messages has been identified by the zLabs research team, uncovering 1,000+ malicious apps and 2.5GB of exposed data. byDeeba Ahmed Cyber Attacks Hacking News Security Latest Hack May Open Doors For Hackers To Spy on US Government Juniper network has had a major breach which has led to suspicions of a group of foreign hackers… byWaqas Read More Security Cyber Attacks SSH Remains Most Targeted Service in Cado’s Cloud Threat Report Cado Security Labs’ 2023 Cloud Threat Findings Report dives deep into the world of cybercrime, cyberattacks, and vulnerabilities. byWaqas","https:\u002F\u002Fhackread.com\u002Ffamoussparrow-oil-gas-ms-exchange-server-exploit\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F05\u002Ffamoussparrow-oil-gas-ms-exchange-server-exploit.jpg","2026-05-14T12:20:02+00:00","2026-05-14T14:00:24.997583+00:00",9,[18,21,24,27,30],{"name":19,"type":20},"FamousSparrow","threat_actor",{"name":22,"type":23},"Microsoft","vendor",{"name":25,"type":26},"Microsoft Exchange Server","product",{"name":28,"type":29},"Impacket toolkit","technology",{"name":31,"type":23},"Bitdefender","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":32,"icon":34,"name":35,"slug":36},null,"Nation-state","nation-state",[38,43,48],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":44},{"id":45,"icon":34,"name":46,"slug":47},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":49},{"id":50,"icon":34,"name":51,"slug":52},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[54,57,60,63],{"type":47,"value":55,"context":56},"Deed RAT","Backdoor deployed via DLL sideloading (lmiguardiandll.dll) and updated in third wave",{"type":47,"value":58,"context":59},"Terndoor","Malware deployed in second wave; installed rootkit driver vmflt.sys for system-level access",{"type":47,"value":61,"context":62},"Mofu loader","Obfuscated stager used to evade antivirus and hide malware instructions in memory",{"type":47,"value":64,"context":65},"vmflt.sys","Rootkit driver deployed via Terndoor to establish god-mode control"]