CHINESE-LINKED FamousSparrow has conducted a sustained intrusion campaign against an Azerbaijani oil and gas company, returning to the same compromised entry point three times between late December 2025 and late February 2026, according to Bitdefender. The first wave began on 25 December 2025, exploiting a vulnerable Microsoft Exchange Server via the ProxyNotShell chain and deploying web shells before returning with different payloads in subsequent visits.
The operation used Deed RAT with a two-stage loader that relied on a legitimate LogMeIn Hamachi binary as the carrier, and later attempts revived the same Exchange server to deploy Terndoor through a Mofu loader chain, with attempts observed in February 2026. The attackers expanded their footholds through RDP and SMB-based lateral movement, while adjusting configurations and C2 addresses, including hostnames such as virusblocker.it[.]com and sentinelonepro[.]com, to evade detection.
Bitdefender notes the campaign marks the first documented instance of FamousSparrow targeting energy infrastructure in the South Caucasus, aligning with broader geopolitical shifts and highlighting the persistence of the same access path across multiple waves. Patch internet-facing services remains emphasised as the critical defensive action.