CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

FamousSparrow APT compromises Azerbaijan energy sector via DLL side-loading and Exchange Server exploitation

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

China-linked advanced persistent threat (APT) group FamousSparrow conducted a targeted cyberespionage campaign against an Azerbaijanian oil-and-gas company in the South Caucasus region between December 2025 and February 2026. The intrusion leveraged a novel two-stage DLL side-loading technique to deploy the Deed remote access trojan (RAT), evading detection mechanisms by splitting malicious payloads across legitimate application execution paths. The operational technology (OT) networks remained unaffected. Initial access was gained through an unpatched Microsoft Exchange server, with the attackers returning twice despite initial remediation on workstations. The campaign reflects a strategic expansion of Chinese cyber operations into Russia’s traditional sphere of influence, coinciding with increased energy corridor significance for the European Union.

Timeline

  1. 13.05.2026 16:00 1 articles · 1h ago

    FamousSparrow APT deploys enhanced DLL side-loading and Deed RAT in Azerbaijan energy sector intrusion

    Between December 2025 and February 2026, China-linked APT group FamousSparrow conducted a targeted intrusion against an Azerbaijanian oil-and-gas company using a novel two-stage DLL side-loading technique to deploy the Deed RAT. The attack exploited an unpatched Microsoft Exchange server for initial access, with follow-up intrusions occurring despite remediation on specific workstations. The campaign demonstrates improved operational tradecraft, with payload execution gated behind legitimate application execution sequences to evade static and dynamic analysis. Operational technology networks were not affected, with focus on enterprise IT infrastructure.

    Show sources
    Open in new tab

Information Snippets

  • FamousSparrow, a China-aligned APT group first observed in 2021, targeted an Azerbaijanian oil-and-gas company in the South Caucasus between December 2025 and February 2026.

    First reported: 13.05.2026 16:00
    1 source, 1 article
    Show sources

  • The attack employed a two-stage DLL side-loading technique to load the Deed RAT, delaying payload execution until specific application execution sequences were reached, complicating sandbox analysis and detection.

    First reported: 13.05.2026 16:00
    1 source, 1 article
    Show sources

  • Initial access was gained via an unpatched Microsoft Exchange server, with attackers conducting two follow-up intrusions despite initial remediation on specific workstations.

    First reported: 13.05.2026 16:00
    1 source, 1 article
    Show sources

  • Operational technology (OT) networks were not impacted during the campaign, with focus on enterprise IT systems including workstations and servers.

    First reported: 13.05.2026 16:00
    1 source, 1 article
    Show sources

  • The South Caucasus region, including Azerbaijan, has become a critical energy corridor for the EU, with gas exports to 16 nations increasing 56% over the past five years.

    First reported: 13.05.2026 16:00
    1 source, 1 article
    Show sources

  • FamousSparrow has previously targeted hotels, government agencies, and financial organizations across North America, Europe, South America, and the Middle East, marking Azerbaijan as a new regional focus.

    First reported: 13.05.2026 16:00
    1 source, 1 article
    Show sources