Chinese-linked threat actor tracked as FamousSparrow has been linked to a cyber espionage campaign targeting an Azerbaijani oil and gas company between December 2025 and February 2026, according to cybersecurity researchers at Bitdefender.
The attackers reportedly exploited the Microsoft Exchange “ProxyNotShell” vulnerability chain to gain initial access, repeatedly breaching the same server despite remediation attempts. Researchers said the campaign came in three separate waves, with the hackers using the Deed RAT and TernDoor malware families to maintain persistence and evade detection.
In the first intrusion, detected on December 25, 2025, the attackers deployed Deed RAT, a successor to the ShadowPad malware commonly associated with China-linked espionage groups. A second wave in early 2026 attempted to install the TernDoor backdoor using the Mofu Loader framework, though the effort was unsuccessful. By late February, the attackers returned with a modified version of Deed RAT that communicated with the command-and-control domain “sentinelonepro[.]com.”
Bitdefender said the operation demonstrated increasingly sophisticated techniques, including an evolved DLL side-loading method that abused the legitimate LogMeIn Hamachi application to stealthily launch malicious code. The attackers also conducted lateral movement inside the victim’s network to establish redundant footholds and maintain long-term access.
“This intrusion should not be viewed as an isolated compromise, but as a sustained and adaptive operation conducted by an actor that repeatedly sought to regain and extend access within the victim environment,” Bitdefender notes in its report. “Across multiple waves of activity, the same access path was revisited, new payloads were introduced, and additional footholds were established, underscoring a high degree of persistence and operational discipline.”