AZERBAIJAN’S energy sector was targeted in a multi-wave intrusion attributed by Bitdefender with moderate-to-high confidence to the hacking group known as FamousSparrow (aka UAT-9244), which has ties to China and overlaps with Earth Estries and Salt Typhoon.
The campaign, aimed at an unnamed Azerbaijani oil and gas company, unfolded between late December 2025 and late February 2026 and involved deploying two backdoors across three waves: Deed RAT (aka Snappybee) and TernDoor, with a modified Deed RAT appearing again in late February 2026. The attackers repeatedly leveraged the same Microsoft Exchange entry point, exploiting ProxyNotShell to obtain initial access and swapping backdoors as remediation and credential rotation occurred.
Bitdefender notes that the intrusion used DLL side-loading techniques that load a rogue DLL via the LogMeIn Hamachi binary, enabling a two-stage trigger and evasion of defenses, while laterally moving to broaden access and establish resilience. The campaign culminated in the use of a modified Deed RAT and a C2 connection described as sentinelonepro[.]com, illustrating persistent, adaptive operations across multiple waves. according to Bitdefender.