Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Deed RAT and TernDoor multi-wave deployment

Malware Activity
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

A multi-wave malware deployment delivered Deed RAT (Snappybee) and TernDoor into an Azerbaijani oil and gas company across three waves, creating repeated footholds inside the network. The activity reused Microsoft Exchange Server access via the ProxyNotShell chain and relied on DLL side-loading to launch payloads. The repeated payload swaps and re-entry attempts increased persistence risk and made remediation harder.

Related Happenings

FamousSparrow multi-wave intrusion campaign against Azerbaijani oil and gas company

Campaign
First: 13.05.2026 16:00 Last: 13.05.2026 16:00 Sources 1

How related: A threat actor with affiliations to China has been linked to a "multi-wave intrusion" targeting an unnamed Azerbaijani oil and gas company between late December 2025 and late February 2026, marking an expansion of its targeting.

About this happening: A **China-affiliated** actor tracked as **FamousSparrow (UAT-9244)** ran a **multi-wave intrusion** against an **unnamed Azerbaijani oil and gas company** from **late December 202...

Open Happening

FamousSparrow Azerbaijanian oil-and-gas targeting campaign

Campaign
First: 13.05.2026 16:00 Last: 13.05.2026 16:00 Sources 1

About this happening: The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...

Open Happening

External Microsoft Teams helpdesk-impersonation campaign

Campaign
First: 20.04.2026 18:11 Last: 20.04.2026 18:11 Sources 1

About this happening: A **campaign** abusing **external Microsoft Teams collaboration** is letting attackers impersonate **IT/helpdesk staff**, gain remote access, and stage **targeted data exfiltratio...

Open Happening

UAT-9244 TernDoor, PeerTime, and BruteEntry malware activity

Malware Activity
First: 06.03.2026 01:19 Last: 06.03.2026 01:19 Sources 1

About this happening: A **China-linked** malware cluster has been using **TernDoor**, **PeerTime**, and **BruteEntry** to compromise **telecommunication providers in South America** and turn infected s...

Open Happening

Fake IT support Havoc campaign

Campaign
First: 03.03.2026 19:15 Last: 03.03.2026 19:15 Sources 1

About this happening: A **fake IT support** campaign is using **email spam**, phone-based social engineering, and **Havoc C2** to gain initial access, putting targeted organizations at risk of **data e...

Open Happening

Timeline

  1. 13.05.2026 16:00 1 articles · 14d ago

    December 25, 2025 Deed RAT deployment via Microsoft Exchange

    Exploitation Observed

    The unnamed Azerbaijani oil and gas company was accessed through a vulnerable Microsoft Exchange Server entry point using the ProxyNotShell chain, and Deed RAT (aka Snappybee) was deployed on December 25, 2025.

    Show sources
    Open in new tab
  2. 13.05.2026 16:00 2 articles · 14d ago

    FamousSparrow linked to repeated Microsoft Exchange intrusion against Azerbaijani oil and gas company

    Attribution Update

    A moderate-to-high confidence attribution links FamousSparrow (aka UAT-9244) to a sustained multi-wave intrusion against the unnamed Azerbaijani oil and gas company from late December 2025 to late February 2026, with repeated reuse of the same Microsoft Exchange Server access path, web shell attempts, DLL side-loading via the legitimate LogMeIn Hamachi binary, a failed TernDoor delivery attempt through Mofu Loader, and a later modified Deed RAT wave accompanied by lateral movement to preserve access.

    Show sources
    Open in new tab