FamousSparrow Targets Azerbaijani Energy Sector in Multi-Wave Espionage Campaign

Azerbaijan has vaulted into the spotlight of European energy security after the 2024 expiration of Russia’s Ukraine gas transit deal and the 2026 Strait of Hormuz disruptions. The South Caucasus producer now supplies gas to thirteen EU members, including Germany and Austria, making its oil‑and‑gas operators high‑value targets for state‑aligned cyber actors. Bitdefender’s latest report confirms that the Chinese‑linked APT group FamousSparrow, part of the Earth Estries cluster, launched a multi‑wave intrusion campaign against an Azerbaijani energy firm between December 2025 and February 2026. The operation signals a shift in Chinese cyber‑espionage toward regions that sit at the nexus of Europe’s energy diversification strategy.

All three intrusion waves entered through the same internet‑facing Microsoft Exchange server, exploiting the ProxyNotShell chain that remains exploitable years after its 2022 disclosure. The first wave dropped a Deed RAT payload using a novel two‑stage DLL sideloading technique that hijacked the legitimate LogMeIn Hamachi service. Subsequent waves introduced a Terndoor backdoor—blocked by the victim’s security suite—and a re‑configured Deed RAT, each communicating with C2 domains crafted to resemble security vendors such as virusblocker.it.com and sentinelonepro.com. The attackers also leveraged stolen domain‑admin credentials for rapid RDP lateral movement and deployed shellcode loaders that encrypt, compress, and decompress malicious modules in memory, evading conventional sandbox analysis.

The campaign underscores two enduring lessons for defenders of critical infrastructure. First, unpatched Exchange servers act as a low‑effort, high‑reward foothold; organizations must prioritize immediate remediation of known ProxyShell/ProxyNotShell flaws and enforce strict credential rotation. Second, sophisticated sideloading and modular RAT architectures demand deeper endpoint monitoring and threat‑intel‑driven detection rules that can spot masqueraded C2 traffic and anomalous service creation. As Chinese cyber groups continue to track geopolitical energy shifts, the Azerbaijani case serves as a warning that emerging energy corridors will increasingly become the front line of cyber‑espionage, prompting greater investment in resilient, continuously patched IT environments.